This article is contributed. See the original author and article here.
Azure DevOps email notifications are great, sometimes project team members doesn’t want to get notified for each and every state change in a User Story, Tasks and Bug and only a specific few want to get to notified whenever a bug is created or closed (skipping the intermediate states). And some team members ask for all the fields in the email body they want additional fields instead of the fields that were changed. I have also seen the customer requirement where they want to be notified only specific date and time in a week with summarized work items(e.g. send email of all tasks are in close state under a particular user story).
Though the 1st one is easily achievable using notification settings filter but the still the email will go out to the entire team and the second and third cases are bit tricky, so I decided to implement this solution using Power Automate. Power Automate is a public cloud service to help individuals and teams to set up automated workflows between their favorite apps and services to synchronize, get notifications, collect data, and more.
Before deep dive into Power Automate we should know about it’s license cost. As announced in August, Power Automate is now a fundamental part of the Office 365 suite. Three months after this announcement Power Automate was enabled as a service as a part of all existing Office 365 SKU’s. As users everywhere in the world can now use Power Automate, it has appeared in the app launcher for them.
The Power Automate Free license is used only for tracking purposes. Enabling or disabling it has no effect on a user’s ability to create flows. If you disable the Power Automate Free license, it becomes enabled again when a user logs in. This is the expected behavior.
Lets start work on following requirement – Requirement: Send an Email notification every Friday 11:00 AM with consolidated details e.g. User Story and Tasks. This email should be trigger when all tasks are in closed state (User story ready to close).
As I explained in previous paragraphs that we are going to use Power Automate workflow for Azure DevOps email notification customization. This tool is very helpful doing more with less by streamlining repetitive tasks and business processes—increasing efficiency and reducing costs—with Microsoft Power Automate. We can also use Azure Logic Apps for this purpose and all the required connectors are available there also.
Below are some standard steps to implement the workflow.
Step 1: Go to link – Microsoft Flow to setup new workflow.
Step 2: Go to create option to setup new workflow using automate cloud flow option.
Step 3: In next screen give appropriate name to flow and skip.
Step 4: At next screen, find the “recurrence” trigger to add in our workflow. This trigger will help us to schedule our workflow to be triggered on particular date and time.
In my case I scheduled it for every day for 11:00 AM EST, you can customize it as per your requirement.
Step 5: Click on new step button
Step 6: Search next action “Get Query Result” as part of next step and configure it as shown in below screenshot. In this configuration you have to point you Azure DevOps organization, project name and query saved under Shared Queries section.
Note: I assume you already have the query to fetch the details of parent and child items you want to put in email notifications. If not please create work item query in Azure DevOps.
Here is example of sample nested query – This query will fetch the User Story and all the child tasks associate with it in any state. We can modify it as per our requirement and reference in our “Get Query Result” workflow.
Step 7: Click on new step button
Step 8: This step almost the repetition of step 6 because we have to reference another work item query for apply condition – “write a query that will only send that email if all tasks under one User Story become a certain status”. In my example I want to trigger email when all tasks under user story in “Closed” state. Even a single task in “Active” don’t send an email.
Here is the example of second query – this query will return the result set if any task under user story in Active step. We can modify or customized for other states as well like – New, In progress etc.
Step 9: Click on new step button
Step 10: Search for new action “Condition” and configure it like below conditions. We can add expression “length(body(‘Query_-_Condition’)?[‘value’])” to check the result of previous step query result set value. This condition tells use that trigger email only when all tasks are in “Closed” state and there is no active tasks under User Story.
Step 11: Condition action has two parts “If yes” and “If No”. We have to extend our workflow “if yes” condition meet. So click on “Add an action” button and find for “Create HTML Table” and configure it as shown in below screenshot. Use “Dynamic Content” option to add details in HTML report. Dynamic content section will show the result of all filed values coming from Work item queries we created in previous states. You can add as much as field details you want to show in your email body.
Step 12: Click on “Add an action” button under “If Yes” block and search for “Send an email” action. Configure this task as shown in below screenshot.
To: Your target team email group e.g. team-developers@xyz.com
Subject: [Your choice]
Body: You can design your HTML body template as per your requirement OR alternatively can put simple text with the message you want to send to team with result set of work item query.
The import part is you have to insert the result of work item query (e.g. previous step HTML report output) in email body as shown in below screenshot. You can use “Add Dynamic Content” and click on Output.
Step 13: We have almost done and now the workflow is ready for “Save” and “Test”. It should be look like the below screenshots as per our all the previous steps we have gone through in this guidance document.
Step: 14: Click on “Save” button located a top right section.
Step 15: Click on “Test” button to test your workflow working as expected or not. You can select manual.
Step 16: On successful run you will see the configuration box and an email should be delivered in your inbox with result set. You can see sample email with User Story and Tasks detail with their current state.
This article is contributed. See the original author and article here.
Companies that operate in more than one channel or region must fulfill orders over networks of ever-increasing complexity. When supply shortages happenand they willhow do you make the best use of limited stock across your most important channels, customer groups, regions, and promotions? And once you decide that, how do you make sure the allocated stock is protected from any other use? With inventory allocation, a new capability of the Microsoft Dynamics 365 Supply Chain Management Inventory Visibility service.
Inventory allocation allows you to virtually apportion your on-hand stock as part of the sales operational planning process before any actual sales are made. It has two purposes:
Inventory protection (ring fencing): Protecting the allocated inventory from other allocations, reservations, or sales demands.
Oversell control: Restricting allocated quantities so that the receiving party doesn’t over-consume them when the actual sales transaction takes place.
Incorporate inventory allocation into your sales planning
First, let’s define a few terms:
Allocation group: The group that owns the allocation, such as a sales channel or a customer group.
Allocation group value: The value of each allocation group. For example, “store” might be the value of the sales channel allocation group, and “VIP” might be the value of the customer allocation group.
Allocation hierarchy: A combination of allocation groups in a hierarchy that determines how inventory is allocated to each group.
Virtual common pool: The quantity of inventory that’s available to allocate.
Now let’s do a case study to see how a company might include inventory allocation in its sales planning process to optimize the distribution and fulfillment flow of limited stock.
Inventory allocation case study
Contoso sells laptops both online and in-store in several countries. Supply chain disruptions severely affected manufacturing capacity of a popular model. The company needs to balance its fulfillment capability between its online and in-store channels in Australia and New Zealand.
First, Contoso determines allocation groups and allocation hierarchies in accordance with the company’s distribution strategy. The allocation is virtual based on current stock numbers. It doesn’t necessarily entail moving physical inventory. Contoso does the initial segmentation and planning of allocation quantities in its planning system, but they could also do it manually based on historical experience. They decide to allocate first by regions (Australia, New Zealand) and then by sales channels (online, store).
Next, Contoso executes the allocation in the Inventory Visibility service to ring-fence each group’s allotted quantity. An allocation can’t be used by another group unless a reallocation adjustment is made. The Australia group is allotted 5,000 laptops and the New Zealand group gets 3,000, leaving 2,000 as contingency in the virtual common pool. Of Australia’s 5,000, 3,000 is allotted to its online sales channel group. No stock transfer is needed yet, since the actual sales transactions and fulfillment haven’t taken place.
Next, the company fills its regional and channel demands through physical or soft consumption, ensuring that orders from allocation groups use their allocation. A customer visits Contoso’s Australia website and purchases a laptop. The website checks the Inventory Visibility service, confirms that enough of the Australia allocation for the online sales channel is available to fill the order, and allows the order to be processed. The consumed quantity can either be a soft reservation, as in this case, which deducts from the available stock level without affecting physical inventory quantity; or a deduction from physical stock, as in a “cash and carry” transaction in which the store inventory is directly consumed.
Contoso processes and ships the customer’s order as usual.
You can easily incorporate inventory allocation into your order fulfillment process. You’ll have more control over and visibility into your distribution and fulfillment network so that you can make better use of your on-hand stock. Inventory allocation goes beyond planning right through to the execution phase, ensuring allocated stock is protected and helping you keep your promises to sales channels, customer groups, and business partners.
This article is contributed. See the original author and article here.
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column, which will sort by descending dates.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the specified criteria.
This article is contributed. See the original author and article here.
What is Arc for Azure VMware Solution? Simply put, it exposes your Azure VMware Solution resources (VMs, networks, datastores, etc.) to the Azure portal.
Using Arc for Azure VMware Solution, those resources can be managed via the Azure portal, even though they are within your vSphere cluster running in an Azure datacenter. Even better, there is no cost to deploy Arc for Azure VMware Solution. More blogs to come on Arc for Azure VMware Solution, but if you want to get some more details check out this video from Jeremiah Megie.
First things first. Let’s get Arc for Azure VMware Solution installed into your private cloud.
You will need to collect the following information to input into thePowerShell script, which, if you use it, will make the deployment a bit more straightforward.
Subscription ID and Resource Group where the Azure VMware Solution private cloud is deployed.
Name of the Azure VMware Solution private cloud.
/28 network segment for the ARC appliance.
The/28 network segment will be an NSX-T segment in the private cloud. Under the covers, the deployment script creates NSX-T segment for use by the ARC appliances. The value must be entered into the script as the gateway to the segment, followed by /28. For example, if 192.168.99.1/28 is entered, there will be a /28 NSX-T segment created with the gateway 192.168.99.1.
The other information you can get from the Overview blade of your private cloud.
Requirements
Your private cloud must have Internet access.
Also, because of the appliance size, ideally you would want to run this script as close to the private cloud, or from a machine inside the AVS Private Cloud.
This article is contributed. See the original author and article here.
CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Republic of Korea’s Defense Security Agency and National Intelligence Service have released a joint Cybersecurity Advisory (CSA), Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities, to provide information on ransomware activity used by North Korean state-sponsored cyber to target various critical infrastructure sectors, especially Healthcare and Public Health (HPH) Sector organizations.
The authoring agencies urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this joint CSA, which include:
Train users to recognize and report phishing attempts.
Enable and enforce phishing-resistant multifactor authentication.
Install and regularly update antivirus and antimalware software on all hosts.
This article is contributed. See the original author and article here.
Note: This Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and various ransomware threat actors. These #StopRansomware advisories detail historically and recently observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn about other ransomware threats and no-cost resources.
The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) (hereafter referred to as the “authoring agencies”) are issuing this joint Cybersecurity Advisory (CSA) to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.
This CSA provides an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware and updates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector. This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.
The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments—specific targets include Department of Defense Information Networks and Defense Industrial Base member networks. The IOCs in this product should be useful to sectors previously targeted by DPRK cyber operations (e.g., U.S. government, Department of Defense, and Defense Industrial Base). The authoring agencies highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.
Download the PDF version of this report: pdf, 661 kb.
For a downloadable copy of IOCs, see AA23-040A.stix (STIX, 197 kb).
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
This CSA is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware campaigns—namely Maui and H0lyGh0st ransomware. The authoring agencies are issuing this advisory to highlight additional observed TTPs DPRK cyber actors are using to conduct ransomware attacks targeting South Korean and U.S. healthcare systems.
Observable TTPs
The TTPs associated with DPRK ransomware attacks include those traditionally observed in ransomware operations. Additionally, these TTPs span phases from acquiring and purchasing infrastructure to concealing DPRK affiliation:
Acquire Infrastructure [T1583]. DPRK actors generate domains, personas, and accounts; and identify cryptocurrency services to conduct their ransomware operations. Actors procure infrastructure, IP addresses, and domains with cryptocurrency generated through illicit cybercrime, such as ransomware and cryptocurrency theft.
Obfuscate Identity. DPRK actors purposely obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments.
Purchase VPNs and VPSs [T1583.003]. DPRK cyber actors will also use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of from DPRK.
Gain Access [TA0001]. Actors use various exploits of common vulnerabilities and exposures (CVE) to gain access and escalate privileges on networks. Recently observed CVEs that actors used to gain access include remote code execution in the Apache Log4j software library (known as Log4Shell) and remote code execution in unpatched SonicWall SMA 100 appliances [T1190 and T1133]. Observed CVEs used include:
CVE 2021-44228
CVE-2021-20038
CVE-2022-24990
Actors also likely spread malicious code through Trojanized files for “X-Popup,” an open source messenger commonly used by employees of small and medium hospitals in South Korea [T1195].
The actors spread malware by leveraging two domains: xpopup.pe[.]kr and xpopup.com. xpopup.pe[.]kr is registered to IP address 115.68.95[.]128 and xpopup[.]com is registered to IP address 119.205.197[.]111. Related file names and hashes are listed in table 1.
Table 1: Malicious file names and hashes spread by xpopup domains
File Name
MD5 Hash
xpopup.rar
1f239db751ce9a374eb9f908c74a31c9
X-PopUp.exe
6fb13b1b4b42bac05a2ba629f04e3d03
X-PopUp.exe
cf8ba073db7f4023af2b13dd75565f3d
xpopup.exe
4e71d52fc39f89204a734b19db1330d3
x-PopUp.exe
43d4994635f72852f719abb604c4a8a1
xpopup.exe
5ae71e8440bf33b46554ce7a7f3de666
Move Laterally and Discovery [TA0007, TA0008]. After initial access, DPRK cyber actors use staged payloads with customized malware to perform reconnaissance activities, upload and download additional files and executables, and execute shell commands [T1083, T1021]. The staged malware is also responsible for collecting victim information and sending it to the remote host controlled by the actors [TA0010].
Employ Various Ransomware Tools [TA0040]. Actors have used privately developed ransomware, such as Maui and H0lyGh0st [T1486]. Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom [T1486]. In some cases, DPRK actors have portrayed themselves as other ransomware groups, such as the REvil ransomware group. For IOCs associated with Maui and H0lyGh0st ransomware usage, please see Appendix B.
Demand Ransom in Cryptocurrency. DPRK cyber actors have been observed setting ransoms in bitcoin [T1486]. Actors are known to communicate with victims via Proton Mail email accounts. For private companies in the healthcare sector, actors may threaten to expose a company’s proprietary data to competitors if ransoms are not paid. Bitcoin wallet addresses possibly used by DPRK cyber actors include:
1MTHBCrBKYEthfa16zo9kabt4f9jMJz8Rm
bc1q80vc4yjgg6umedkut3e9mhehxl4q4dcjjyzh59
1J8spy62o7z2AjQxoUpiCGnBh5cRWKVWJC
16ENLdHbnmDcEV8iqN4vuyZHa7sSdYRh76
bc1q3wzxvu8yhs8h7mlkmf7277wyklkah9k4sm9anu
bc1q8xyt4jxhw7mgqpwd6qfdjyxgvjeuz57jxrvgk9
1NqihEqYaQaWiZkPVdSMiTbt7dTy1LMxgX
bc1qxrpevck3pq1yzrx2pq2rkvkvy0jnm56nzjv6pw
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
1KCwfCUgnSy3pzNX7U1i5NwFzRtth4bRBc
16sYqXancDDiijcuruZecCkdBDwDf4vSEC
1N6JphHFaYmYaokS5xH31Z67bvk4ykd9CP
LZ1VNJfn6mWjPzkCyoBvqWaBZYXAwn135
1KmWW6LgdgykBBrSXrFu9kdoHz95Fe9kQF
1FX4W9rrG4F3Uc7gJ18GCwGab8XuW8Ajy2
bc1qlqgu2l2kms5338zuc95kxavctzyy0v705tpvyc
bc1qy6su7vrh7ts5ng2628escmhr98msmzg62ez2sp
bc1q8t69gpxsezdcr8w6tfzp3jeptq4tcp2g9d0mwy
bc1q9h7yj79sqm4t536q0fdn7n4y2atsvvl22m28ep
bc1qj6y72rk039mqpgtcy7mwjd3eum6cx6027ndgmd
bc1qcp557vltuu3qc6pk3ld0ayagrxuf2thp3pjzpe
bc1ql8wsflrjf9zlusauynzjm83mupq6c9jz9vnqxg
bc1qx60ec3nfd5yhsyyxkzkpts54w970yxj84zrdck
bc1qunqnjdlvqkjuhtclfp8kzkjpvdz9qnk898xczp
bc1q6024d73h48fnhwswhwt3hqz2lzw6x99q0nulm4
bc1qwdvexlyvg3mqvqw7g6l09qup0qew80wjj9jh7x
bc1qavrtge4p7dmcrnvhlvuhaarx8rek76wxyk7dgg
bc1qagaayd57vr25dlqgk7f00nhz9qepqgnlnt4upu
bc1quvnaxnpqlzq3mdhfddh35j7e7ufxh3gpc56hca
bc1qu0pvfmtxawm8s99lcjvxapungtsmkvwyvak6cs
bc1qg3zlxxhhcvt6hkuhmqml8y9pas76cajcu9ltdl
bc1qn7a3g23nzpuytchyyteyhkcse84cnylznl3j32
bc1qhfmqstxp3yp9muvuz29wk77vjtdyrkff4nrxpu
bc1qnh8scrvuqvlzmzgw7eesyrmtes9c5m78duetf3
bc1q7qry3lsrphmnw3exs7tkwzpvzjcxs942aq8n0y
bc1qcmlcxfsy0zlqhh72jvvc4rh7hvwhx6scp27na0
bc1q498fn0gauj2kkjsg35mlwk2cnxhaqlj7hkh8xy
bc1qnz4udqkumjghnm2a3zt0w3ep8fwdcyv3krr3jq
bc1qk0saaw7p0wrwla6u7tfjlxrutlgrwnudzx9tyw
bc1qyue2pgjk09ps7qvfs559k8kee3jkcw4p4vdp57
bc1q6qfkt06xmrpclht3acmq00p7zyy0ejydu89zwv
bc1qmge6a7sp659exnx78zhm9zgrw88n6un0rl9trs
bc1qcywkd7zqlwmjy36c46dpf8cq6ts6wgkjx0u7cn
Note: These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the U.S. National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see cisa.gov/cpg.
The authoring agencies urge HPH organizations to:
Limit access to data by authenticating and encrypting connections (e.g., using public key infrastructure certificates in virtual private network (VPN) and transport layer security (TLS) connections) with network services, Internet of Things (IoT) medical devices, and the electronic health record system [CPG 3.3].
Implement the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts [CPG 1.5], which grant excessive system administration privileges.
Turn off weak or unnecessary network device management interfaces, such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled.
Protect stored data by masking the permanent account number (PAN) when displayed and rendering it unreadable when stored—through cryptography, for example.
Secure the collection, storage, and processing practices for personally identifiable information (PII)/protected health information (PHI), per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures could prevent the introduction of malware to the system [CPG 3.4].
Secure PII/ PHI at collection points and encrypt the data at rest and in transit using technologies, such as TLS. Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available.
Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.
Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer [CPG 8.1].
Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise [CPG 3.1].
In addition, the authoring agencies urge all organizations, including HPH Sector organizations, to apply the following recommendations to prepare for and mitigate ransomware incidents:
Maintain isolated backups of data, and regularly test backup and restoration [CPG 7.3]. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware incident and protect against data losses.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident [CPG 7.1, 7.2].
Install updates for operating systems, software, and firmware as soon as they are released [CPG 5.1]. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Regularly check for software updates and end-of-life notifications and prioritize patching known exploited vulnerabilities. Consider leveraging a centralized patch management system to automate and expedite the process.
If you use Remote Desktop Protocol (RDP), or other potentially risky services, secure and monitor them closely [CPG 5.4].
Limit access to resources over internal networks, especially by restricting RDP and using virtual desktop infrastructure. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources, and require phishing-resistant multifactor authentication (MFA) to mitigate credential theft and reuse [CPG 1.3]. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts to block brute force campaigns, log RDP login attempts, and disable unused remote access/RDP ports [CPG 1.1, 3.1].
Ensure devices are properly configured and that security features are enabled. Disable ports and protocols not in use for a business purpose (e.g., RDP Transmission Control Protocol port 3389).
Restrict the Server Message Block (SMB) protocol within the network to only access necessary servers and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across organizations.
Review the security posture of third-party vendors and those interconnected with your organization. Ensure all connections between third-party vendors and outside software or hardware are monitored and reviewed for suspicious activity [CPG 5.6, 6.2].
Implement application control policies that only allow systems to execute known and permitted programs [CPG 2.1].
Open document readers in protected viewing modes to help prevent active content from running.
Implement a user training program and phishing exercises [CPG 4.3] to raise awareness among users about the risks of visiting websites, clicking on links, and opening attachments. Reinforce the appropriate user response to phishing and spearphishing emails.
Require phishing-resistant MFA for as many services as possible [CPG 1.3]—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
Require administrator credentials to install software [CPG 1.5].
Audit user accounts with administrative or elevated privileges [CPG 1.5] and configure access controls with least privilege in mind.
Install and regularly update antivirus and antimalware software on all hosts.
Only use secure networks. Consider installing and using a VPN.
Consider adding an email banner to messages coming from outside your organizations [CPG 8.3] indicating that they are higher risk messages.
Consider participating in CISA’s no-cost Automated Indicator Sharing (AIS) program to receive real-time exchange of machine-readable cyber threat indicators and defensive measures.
If a ransomware incident occurs at your organization:
Follow your organization’s ransomware response checklist.
Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware. This should be performed using an isolated, trusted system to avoid exposing backups to potential compromise.
U.S. organizations: Follow the notification requirements as outlined in your cyber incident response plan. Report incidents to appropriate authorities; in the U.S., this would include the FBI at a local FBI Field Office, CISA at cisa.gov/report, or the U.S. Secret Service (USSS) at a USSS Field Office.
South Korean organizations: Please report incidents to NIS, KISA (Korea Internet & Security Agency), and KNPA (Korean National Police Agency).
The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files. As stated above, the authoring agencies discourage paying ransoms. Payment does not guarantee files will be recovered and may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, the agencies understand that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees, and customers.
Regardless of whether you or your organization decide to pay a ransom, the authoring agencies urge you to promptly report ransomware incidents using the contact information above.
Acknowledgements
NSA, FBI, CISA, and HHS would like to thank ROK NIS and DSA for their contributions to this CSA.
Disclaimer of endorsement
The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Trademark recognition
Microsoft Threat Intelligence Center is a registered trademark of Microsoft Corporation. Apache®, Sonicwall, and Apache Log4j are trademarks of Apache Software Foundation. TerraMaster Operating System is a registered trademark of Octagon Systems.
Purpose
This document was developed in furtherance of the authors’ cybersecurity missions, including their responsibilities to identify and disseminate threats, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Appendix A: CVE Details
CVE-2021-44228 CVSS 3.0: 10 (Critical)
Vulnerability Description Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Recommended Mitigations Apply patches provided by vendor and perform required system updates.
Vulnerable Technologies and Versions There are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, please check https://nvd.nist.gov/vuln/detail/CVE-2021-44228.
Vulnerability Description A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server’s mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a ‘nobody’ user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
Recommended Mitigations Apply all appropriate vendor updates Upgrade to:
SMA 100 Series – (SMA 200, 210, 400, 410, 500v (ESX, Hyper-V, KVM, AWS, Azure):
SonicWall SMA100 build versions 10.2.0.9-41sv or later
SonicWall SMA100 build versions 10.2.1.3-27sv or later
System administrators should refer to the SonicWall Security Advisories in the reference section to determine affected applications/systems and appropriate fix actions.
Support for 9.0.0 firmware ended on 10/31/2021. Customers still using that firmware are requested to upgrade to the latest 10.2.x versions.
Vulnerable Technologies and Versions Sonicwall Sma 200 Firmware 10.2.0.8-37Sv Sonicwall Sma 200 Firmware 10.2.1.1-19Sv Sonicwall Sma 200 Firmware 10.2.1.2-24Sv Sonicwall Sma 210 Firmware 10.2.0.8-37Sv Sonicwall Sma 210 Firmware 10.2.1.1-19Sv Sonicwall Sma 210 Firmware 10.2.1.2-24Sv Sonicwall Sma 410 Firmware 10.2.0.8-37Sv Sonicwall Sma 410 Firmware 10.2.1.1-19Sv Sonicwall Sma 410 Firmware 10.2.1.2-24Sv Sonicwall Sma 400 Firmware 10.2.0.8-37Sv Sonicwall Sma 400 Firmware 10.2.1.1-19Sv Sonicwall Sma 400 Firmware 10.2.1.2-24Sv Sonicwall Sma 500V Firmware 10.2.0.8-37Sv Sonicwall Sma 500V Firmware 10.2.1.1-19Sv Sonicwall Sma 500V Firmware 10.2.1.2-24Sv
Vulnerability Description The TerraMaster OS Unauthenticated Remote Command Execution via PHP Object Instantiation Vulnerability is characterized by scanning activity targeting a flaw in the script enabling a remote adversary to execute commands on the target endpoint. The vulnerability is created by improper input validation of the webNasIPS component in the api.php script and resides on the TNAS device appliances’ operating system where users manage storage, backup data, and configure applications. By exploiting the script flaw a remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary commands on the target system. This may result in complete compromise of the target system, including the exfiltration of information. TNAS devices can be chained to acquire unauthenticated remote code execution with highest privileges.
Recommended Mitigations Install relevant vendor patches. This vulnerability was patched in TOS version 4.2.30
Table 2 lists MD5 and SHA256 hashes associated with malware implants, RATs, and other tools used by DPRK cyber actors, including tools that drop Maui ransomware files.
Table 2: File names and hashes of malicious implants, RATs, and tools
This article is contributed. See the original author and article here.
Last year, Reading Coach launched as part of Reading Progress in Microsoft Teams. Reading Coach provides students with personalized and independent practice that Reading Progress identifies a student has mispronounced. Reading Coach has proven to be popular not only with educators, but especially with students. We’ve heard stories from teachers of students “demanding more passages” from the teacher, and that they’ve set personal goals of improvement. To enable students to practice with content that aligns with their interests and focus, without the need for a teacher to make an assignment in Teams, we are rolling out Reading Coach as part of the Immersive Reader in many of our M365 apps. This will be available in school, consumer and work accounts, and in 116 languages and locales.
Now anyone using Immersive Reader, with any content they choose, can go to the Reading Preferences pane, enable Reading Coach to practice reading out loud and receive focused practice exercises. When the Reading Coach switch is enabled, the Play button in the Immersive Reader changes to a Microphone button. Students can select the Edit button near the Reading Coach toggle to customize parts of the coach inluding the voice, feedback style, and more. When the microphone button is selected, a dialog pops up that encourages the student to prepare to read out loud.
Once the student selects Let’s read, a 3…2…1 countdown appears, and practice begins. The student reads out loud for as long as they like while Immersive Reader “listens” to their performance. When finished, the reader selects Stop, and a reading report immediately provides data on their reading speed, accuracy, time spent reading, and any words to practice.
If the Practice Words button is clicked, the Reading Coach pops up to allow personalized practice. The Reading Coach interface is the exact same as the one in Reading Progress in Teams.
The initial set of apps that Reading Coach in Immersive Reader is available include Word for web, OneNote for web, Desktop, Mac and iPad, Teams Assignments, Flip and Minecraft Education. We expect to bring Reading Coach to more apps in the near future.
Updates to Education Insights Premium for Reading Progress
We’re excited to share that Education Insights Premium(including all Reading Progress data) is now included in all versions of Microsoft 365 Education including our no-cost Office 365 A1 license. Education Insights Premium enables education leaders to monitor student academic progress and wellbeing across their organization to help improve learning outcomes with actionable insights. Built with student safety, privacy, and security in mind, it helps schools support students while maintaining compliance with industry standards. Below is an example of a Reading Progress report across an entire school system.
Reading comprehension questions in Reading Progress
Our reading fluency app Reading Progress, launched in Microsoft Teams in fall of 2021. Reading Progress supports educators in increasing the frequency of reading fluency evaluations, helping them to differentiate more powerfully to support students on their fluency journey. The #1 request from educators and schools has been a desire to add reading comprehension questions for the student to complete after they read. We heard educator’s request and are excited to announce that we will be adding reading comprehension question support to reading progress later this year! Using Microsoft Forms technology, educators will be able to assess not only students’ fluency, but also their understanding, right in Reading Progress. Educators will be able to provide students with access to the questions prior to reading if they wish, a scaffolding strategy that can help students learn to read with purpose. The auto-grading capabilities of Microsoft Quiz will also be included to streamline grading of multiple-choice questions. We expect to have comprehension questions in private testing later in late spring of 2023.
Reading with expression (prosody) in Reading Progress
Reading fluency is composed of three pillars – speed, accuracy, and expression. The initial version of Reading Progress uses auto-detect to help track reading speed and accuracy, but historically an educator needs to listen to each student independently to gauge their expression.
With our forthcoming Expression update, Reading Progress will automatically identify students’ performance on aspects of prosody including monotone reading, long pauses, not pausing for a period or comma, voice inflection for question marks or exclamation points, and even the stress of multi-syllable words. Student expression results will be available in the teacher review experience, alongside accuracy and correct words per minute. Later, this information will be added to the student’s view of their returned work and incorporated in Insights so it can be easily monitored over time. Reading expression updates will begin rolling out to Reading Progress in late spring.
With the introduction of Reading Coach in Immersive Reader and the continued evolution of Reading Progress, we hope to maintain students’ excitement for and growth in literacy while supporting educators as they work to help every student reach their fluency goals.
Mike Tholfsen Group Product Manager Microsoft Education
This article is contributed. See the original author and article here.
With global volatility and inflation impacting organizations across all industries, business agility has never been more important. Leaders turn to finance teams to get real-time insight into business performance and recommendations on future initiatives that will help them thrive amid disruption. But finance teams are overwhelmed with manual tasks, cobbling together data, and disconnected teams. Achieving game-changing business agility begins with augmenting the human ingenuity of your people with intelligent process automation.
When it comes to reimagining processes with AI, automation, and analytics, many finance leaders don’t know where to start. This year, at the third annual Finance Reimagined digital event, we will delve into real-world best practices from Microsoft and industry leaders that will help you prioritize the right cost optimization, growth acceleration, and workforce transformation initiatives.
Finance Reimagined 2023
Tuesday, February 28, 2023, 9:00 AM to 10:15 AM Pacific Time (UTC-7)
Finance Reimagined: Bringing the future of finance into focus
Finance Reimagined is a virtual event bringing together finance leaders from around the world. On February 28, 2023, from 9:00 AM to10:15 AM PT, you can unpack the latest trends shaping the future of finance including the strategic evolution of the role of CFO within organizations, maintaining commitments to multiple stakeholders and bottom lines against a challenging economic environment, and the opportunities to drive transformation through the partnership of human ingenuity and AI.
Discover what’s top of mind for CFOs and financial leaders
You’ll discover best practices, trends, and priorities that are top of mind for CFOs and finance leaders. We’ve lined up experts from Microsoft, IDC, Avanade, EY, HSO, KPMG, and PwC to deliver actionable insights on how to strike the right balance between the following:
Human and AI
Find harmony between automation and your organization’s most important assetyour people. We will tackle one of the top concerns for CFOs today: workforce optimization. The heart of productivity sits in employee well-beingor the organization’s ability to increase creativity, job satisfaction, and ultimately, happiness. Human ingenuity is now business’ greatest investment to drive long-term vision and needs to be incentivized. Automation changes the way we work, thus organizational structures, required competencies, and roles must change as well. Get tips at Finance Reimagined on how to prioritize automation initiatives and how to use them to augment your people resources.
Cost optimization and growth acceleration
Embrace a dual role of gatekeeper and innovator to bring more strategic value to your organization. You’ll hear from a panel of finance leaders at Microsoft as they respond to trends from a recent study of more than 500 senior finance leaders from across all industries. Learn how Microsoft is empowering our finance leaders to do more with less to guide teams through these uncertain times. We will discuss tactics to optimize cash flow, increase operational effectiveness, and reinvest to meet growth expectations.
The speed of business and risk mitigation
Organizational health has become increasingly dependent on data and tools to facilitate agile, data-driven decision making. Finance teams are doubling down on their efforts to keep up with our world’s increasingly volatile and interconnected markets that demand more fluid operating models, extending beyond the walls of an organization. This means that the role of the finance leader has evolved from being an economic guardian inside the walls of an enterprise to designing new business models that focus on delivering customer value outside of an enterprise. This evolution is only possible through a tight partnership between the CFO and Chief Technology Officer (CTO) to ensure data security while activating insights at every level of the organization. Join us for a discussion with the CFO and CTO at Robert Walters, a global recruitment and talent management company with a team of experts spanning 31 countries and serving more than 4,300 clients, to hear how they partnered to speed the time to insight within their organization.
Register today to attend Finance Reimagined for your look ahead at the emerging trends and essential insights defining how tomorrow’s businesses will thrive. We hope to see you there.
Recent Comments