Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors

by | Oct 6, 2022 | Security, Technology

This article is contributed. See the original author and article here.

Summary

This joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People’s Republic of China (PRC) state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). PRC state-sponsored cyber actors continue to exploit known vulnerabilities to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.

This joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).

NSA, CISA, and FBI urge U.S. and allied governments, critical infrastructure, and private sector organizations to apply the recommendations listed in the Mitigations section and Appendix A to increase their defensive posture and reduce the threat of compromise from PRC state-sponsored malicious cyber actors.

For more information on PRC state-sponsored malicious cyber activity, see CISA’s China Cyber Threat Overview and Advisories webpage, FBI’s Industry Alerts, and NSA’s Cybersecurity Advisories & Guidance

Download the PDF version of this report: pdf, 409 KB

Technical Details

NSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks. PRC state-sponsored cyber actors continue to target government and critical infrastructure networks with an increasing array of new and adaptive techniques—some of which pose a significant risk to Information Technology Sector organizations (including telecommunications providers), Defense Industrial Base (DIB) Sector organizations, and other critical infrastructure organizations.

PRC state-sponsored cyber actors continue to exploit known vulnerabilities and use publicly available tools to target networks of interest. NSA, CISA, and FBI assess PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks. See Table 1 for the top used CVEs.

Table I: Top CVEs most used by Chinese state-sponsored cyber actors since 2020

Vendor

CVE

Vulnerability Type

Apache Log4j

CVE-2021-44228

Remote Code Execution

Pulse Connect Secure

CVE-2019-11510

Arbitrary File Read

GitLab CE/EE

CVE-2021-22205

Remote Code Execution

Atlassian

CVE-2022-26134

Remote Code Execution

Microsoft Exchange

CVE-2021-26855

Remote Code Execution

F5 Big-IP

CVE-2020-5902

Remote Code Execution

VMware vCenter Server

CVE-2021-22005

Arbitrary File Upload

Citrix ADC

CVE-2019-19781

Path Traversal

Cisco Hyperflex

CVE-2021-1497

Command Line Execution

Buffalo WSR

CVE-2021-20090

Relative Path Traversal

Atlassian Confluence Server and Data Center

CVE-2021-26084

Remote Code Execution

Hikvision Webserver

CVE-2021-36260

Command Injection

Sitecore XP

CVE-2021-42237

Remote Code Execution

F5 Big-IP

CVE-2022-1388

Remote Code Execution

Apache

CVE-2022-24112

Authentication Bypass by Spoofing

ZOHO

CVE-2021-40539

Remote Code Execution

Microsoft

CVE-2021-26857

Remote Code Execution

Microsoft

CVE-2021-26858

Remote Code Execution

Microsoft

CVE-2021-27065

Remote Code Execution

Apache HTTP Server

CVE-2021-41773

Path Traversal

These state-sponsored actors continue to use virtual private networks (VPNs) to obfuscate their activities and target web-facing applications to establish initial access. Many of the CVEs indicated in Table 1 allow the actors to surreptitiously gain unauthorized access into sensitive networks, after which they seek to establish persistence and move laterally to other internally connected networks. For additional information on PRC state-sponsored cyber actors targeting network devices, please see People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices.

Mitigations

NSA, CISA, and FBI urge organizations to apply the recommendations below and those listed in Appendix A.

  • Update and patch systems as soon as possible. Prioritize patching vulnerabilities identified in this CSA and other known exploited vulnerabilities.
  • Utilize phishing-resistant multi-factor authentication whenever possible. Require all accounts with password logins to have strong, unique passwords, and change passwords immediately if there are indications that a password may have been compromised. 
  • Block obsolete or unused protocols at the network edge. 
  • Upgrade or replace end-of-life devices.
  • Move toward the Zero Trust security model. 
  • Enable robust logging of Internet-facing systems and monitor the logs for anomalous activity.
     

Appendix A

Table II: Apache CVE-2021-44228

Apache CVE-2021-44228 CVSS 3.0: 10 (Critical)

Vulnerability Description

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against malicious actor controlled LDAP and other JNDI related endpoints. A malicious actor who can control log messages or log message parameters could execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Recommended Mitigations

  • Apply patches provided by vendor and perform required system updates.

Detection Methods

Vulnerable Technologies and Versions

There are numerous vulnerable technologies and versions associated with CVE-2021-44228. For a full list, check https://nvd.nist.gov/vuln/detail/CVE-2021-44228.

Table III: Pulse CVE-2019-11510

Pulse CVE-2019-11510 CVSS 3.0: 10 (Critical)

Vulnerability Description

This vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote malicious actor could send a specially crafted URI to perform an arbitrary file reading vulnerability.

Recommended Mitigations

  • Apply patches provided by vendor and perform required system updates.

Detection Methods

  • Use CISA’s “Check Your Pulse” Tool.

Vulnerable Technologies and Versions

Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4

Table IV: GitLab CVE-2021-22205

GitLab CVE-2021-22205 CVSS 3.0: 10 (Critical)

Vulnerability Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files passed to a file parser, which resulted in a remote command execution.

Recommended Mitigations

  • Update to 12.10.3, 13.9.6, and 13.8.8 for GitLab.
  • Hotpatch is available via GitLab.

Detection Methods

  • Investigate logfiles.
  • Check GitLab Workhorse.

Vulnerable Technologies and Versions

Gitlab CE/EE.

Table V: Atlassian CVE-2022-26134

Atlassian CVE-2022-26134 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that could allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, 7.13.0 before 7.13.7, 7.14.0 before 7.14.3, 7.15.0 before 7.15.2, 7.16.0 before 7.16.4, 7.17.0 before 7.17.4, and 7.18.0 before 7.18.1.

Recommended Mitigations 

  • Immediately block all Internet traffic to and from affected products AND apply the update per vendor instructions. 
  • Ensure Internet-facing servers are up-to-date and have secure compliance practices.
  • Short term workaround is provided here.

Detection Methods

N/A

Vulnerable Technologies and Versions

All supported versions of Confluence Server and Data Center

Confluence Server and Data Center versions after 1.3.0

Table VI: Microsoft CVE-2021-26855

Microsoft CVE-2021-26855                                                     CVSS 3.0: 9.8 (Critical)

Vulnerability Description

Microsoft has released security updates for Windows Exchange Server. To exploit these vulnerabilities, an authenticated malicious actor could send malicious requests to an affected server. A malicious actor  who successfully exploited these vulnerabilities would execute arbitrary code and compromise the affected systems. If successfully exploited, these vulnerabilities could allow an adversary to obtain access to sensitive information, bypass security restrictions, cause a denial of service conditions, and/or perform unauthorized actions on the affected Exchange server, which could aid in further malicious activity.

Recommended Mitigations

  • Apply the appropriate Microsoft Security Update.
  • Microsoft Exchange Server 2013 Cumulative Update 23 (KB5000871)
  • Microsoft Exchange Server 2016 Cumulative Update 18 (KB5000871)
  • Microsoft Exchange Server 2016 Cumulative Update 19 (KB5000871)
  • Microsoft Exchange Server 2019 Cumulative Update 7 (KB5000871)
  • Microsoft Exchange Server 2019 Cumulative Update 8 (KB5000871)
  • Restrict untrusted connections.

Detection Methods

  • Analyze Exchange product logs for evidence of exploitation.
  • Scan for known webshells.

Vulnerable Technologies and Versions

Microsoft Exchange 2013, 2016, and 2019.

Table VII: F5 CVE-2020-5902

Table VIII: VMware CVE-2021-22005

VMware CVE-2021-22005 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.

Recommended Mitigations

  • Apply Vendor Updates.

Detection Methods

N/A

Vulnerable Technologies and Versions

VMware Cloud Foundation

VMware VCenter Server

Table IX: Citrix CVE-2019-19781

Citrix CVE-2019-19781 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

This vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

Recommended Mitigations

Detection Methods

N/A

Vulnerable Technologies and Versions

Citrix ADC, Gateway, and SD-WAN WANOP

Table X: Cisco CVE-2021-1497

Cisco CVE-2021-1497 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX could allow an unauthenticated, remote malicious actor to perform a command injection against an affected device. For more information about these vulnerabilities, see the Technical details section of this advisory.

Recommended Mitigations

  • Apply Cisco software updates.

Detection Methods

  • Look at the Snort Rules provided by Cisco.

Vulnerable Technologies and Versions

Cisco Hyperflex Hx Data Platform 4.0(2A)

Table XI: Buffalo CVE-2021-20090

Buffalo CVE-2021-20090 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote malicious actors to bypass authentication.

Recommended Mitigations

  • Update firmware to latest available version.

 

Detection Methods

Vulnerable Technologies and Versions

Buffalo Wsr-2533Dhpl2-Bk Firmware

Buffalo Wsr-2533Dhp3-Bk Firmware

Table XII: Atlassian CVE-2021-26084

Atlassian CVE-2021-26084 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated malicious actor to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23 and from version 6.14.0 before 7.4.11, version 7.5.0 before 7.11.6, and version 7.12.0 before 7.12.5.

Recommended Mitigations

  • Update confluence version to 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0.
  • Avoid using end-of-life devices.
  • Use Intrusion Detection Systems (IDS).

Detection Methods

N/A

Vulnerable Technologies and Versions

Atlassian Confluence

Atlassian Confluence Server

Atlassian Data Center

Atlassian Jira Data Center

Table XIII: Hikvision CVE-2021-36260

Hikvision CVE-2021-36260 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

This vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. A command injection vulnerability exists in the web server of some Hikvision products. Due to the insufficient input validation, a malicious actor can exploit the vulnerability to launch a command injection by sending some messages with malicious commands.

Recommended Mitigations

  • Apply the latest firmware updates.

Detection Methods

N/A

Vulnerable Technologies and Versions

Various Hikvision Firmware to include Ds, Ids, and Ptz

References

https://www.cisa.gov/uscert/ncas/current-activity/2021/09/28/rce-vulnerability-hikvision-cameras-cve-2021-36260  

Table XIV: Sitecore CVE-2021-42237

Sitecore CVE-2021-42237 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.

Recommended Mitigations

  • Update to latest version.
  • Delete the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx.

Detection Methods

Vulnerable Technologies and Versions

Sitecore Experience Platform 7.5, 7.5 Update 1, and 7.5 Update 2

Sitecore Experience Platform 8.0, 8.0 Service Pack 1, and 8.0 Update 1-Update 7

Sitecore Experience Platform 8.0 Service Pack 1

Sitecore Experience Platform 8.1, and  Update 1-Update 3

Sitecore Experience Platform 8.2, and Update 1-Update 7

Table XV: F5 CVE-2022-1388

F5 CVE-2022-1388 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

This vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Recommended Mitigations

  • Block iControl REST access through the self IP address.
  • Block iControl REST access through the management interface.
  • Modify the BIG-IP httpd configuration.

Detection Methods

N/A

Vulnerable Technologies and Versions

Big IP versions:

16.1.0-16.1.2

15.1.0-15.1.5

14.1.0-14.1.4

13.1.0-13.1.4

12.1.0-12.1.6

11.6.1-11.6.5

Table XVI: Apache CVE-2022-24112

Apache CVE-2022-24112 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

A malicious actor can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX’s data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

Recommended Mitigations

  • In affected versions of Apache APISIX, you can avoid this risk by explicitly commenting out batch-requests in the conf/config.yaml and conf/config-default.yaml files and restarting Apache APISIX.
  • Update to 2.10.4 or 2.12.1.

Detection Methods

N/A

Vulnerable Technologies and Versions

Apache APISIX between 1.3 and 2.12.1 (excluding 2.12.1)

LTS versions of Apache APISIX between 2.10.0 and 2.10.4

Table XVII: ZOHO CVE-2021-40539

ZOHO CVE-2021-40539 CVSS 3.0: 9.8 (Critical)

Vulnerability Description

Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

Recommended Mitigations

  • Upgrade to latest version.

Detection Methods

  • Run ManageEngine’s detection tool.
  • Check for specific files and logs.

Vulnerable Technologies and Versions

Zoho Corp ManageEngine ADSelfService Plus

Table XVIII: Microsoft CVE-2021-26857

Microsoft CVE-2021-26857 CVSS 3.0: 7.8 (High)

Vulnerability Description

Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.

Recommended Mitigations

  • Update to support latest version.
  • Install Microsoft security patch.
  • Use Microsoft Exchange On-Premises Mitigation Tool.

Detection Methods

  • Run Exchange script: https://github.com/microsoft/CSS-Exchange/tree/main/Security.
  • Hashes can be found here: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log.

Vulnerable Technologies and Versions

Microsoft Exchange Servers

Table XIX: Microsoft CVE-2021-26858

Table XX: Microsoft CVE-2021-27065

Table XXI: Apache CVE-2021-41773

Apache CVE-2021-41773 CVSS 3.0: 7.5 (High)

Vulnerability Description

This vulnerability has been modified since it was last analyzed by NVD. It is awaiting reanalysis, which may result in further changes to the information provided. A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. A malicious actor could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration “require all denied,” these requests can succeed. Enabling CGI scripts for these aliased paths could allow for remote code execution. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. The fix in Apache HTTP Server 2.4.50 is incomplete (see CVE-2021-42013).

Recommended Mitigations

  • Apply update or patch.

Detection Methods

  • Commercially available scanners can detect CVE.

Vulnerable Technologies and Versions

Apache HTTP Server 2.4.49 and 2.4.50

Fedoraproject Fedora 34 and 35

Oracle Instantis Enterprise Track 17.1-17.3

Netapp Cloud Backup

Revisions

Initial Publication: October 6, 2022

This product is provided subject to this Notification and this Privacy & Use policy.

Welcome to the 2023 Imagine Cup

Welcome to the 2023 Imagine Cup

by | Oct 6, 2022 | Technology

This article is contributed. See the original author and article here.

Welcome to the 2023 Imagine Cup!


 


Student_Developer_Team_2-1664904107058.png


 


Imagine Cup is the premier global student technology competition that offers students just like you the opportunity to unleash their passion and purpose to develop inspiring leading-edge technology solutions in one of four competition categories—Earth, Education, Health, and Lifestyle–that could make a difference in the world. Students can tap into their entrepreneurial side and actively take steps towards bringing their ideas to life and making their dreams come true. Along the way, you connect with like-minded people, gain new skills, obtain training and mentorship, and have the chance to win cash prizes! 


 


Here’s what you can look forward to on your journey once you register: 



  • Gather—a Discord community exists for students to connect with other competition entrants and find potential teammates, brainstorm ideas, and receive project and competition tips. 

  • Learn—a treasure trove of resources is readily available to competitors, including curated training to better prepare students to submit to the competition. 

  • Build—the Epic Challenge provides competitors the chance to collaborate with teammates and present a 3-minute project pitch and proposal for a chance to receive USD1,000, feedback from judges, and advance in the competition to the World Finals. 

  • Compete—the Online Semifinals, National Finals, and the Regional Finals allow competitors the chance to hone technical skills, gain experience pitching an idea, and possibly win cash prizes. 

  • Pitch —the top teams showcase their work on a global stage at the World Championship in May 2023 for a chance to win USD100,000 and a mentorship session with Microsoft Chairman and CEO, Satya Nadella. 


 


Check out more details on this year’s competition and get started on your journey today!


 

Cisco Releases Security Updates for Multiple Products

by | Oct 6, 2022 | Security, Technology

This article is contributed. See the original author and article here.

Cisco has released security updates to address vulnerabilities in multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. 

CISA encourages users and administrators to review the following advisories and apply the necessary updates:

•    Cisco Enterprise NFV Infrastructure Software Improper Signature Verification Vulnerability cisco-sa-NFVIS-ISV-BQrvEv2h 
•    Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities cisco-sa-expressway-csrf-sqpsSfY6

CISA Releases Two Industrial Control Systems Advisories

by | Oct 6, 2022 | Security, Technology

This article is contributed. See the original author and article here.

CISA released two (2) Industrial Control Systems (ICS) advisories on October 06, 2022. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations:

Use Demand Driven Material Requirements Planning to increase service and decrease lead time

Use Demand Driven Material Requirements Planning to increase service and decrease lead time

by | Oct 5, 2022 | Dynamics 365, Microsoft 365, Technology

This article is contributed. See the original author and article here.

For better or worse, customers have come to expect short lead times. Responding to those expectations has become more complex from a supply chain perspective: product availability has become less predictable, which lowers forecast accuracy; parts have long lead times; and there’s pressure to maintain leaner inventories to reduce holding costs. Is it possible to have high customer service levels while not holding too much inventory? With Demand Driven Material Requirements Planning (DDMRP), it is.

What is Demand Driven Material Requirements Planning?

DDMRP is a formal method for modeling, planning, and managing supply chains. It has been proven to improve performance in these volatile, complex, and ambiguous environments, where cumulative lead times are longer than your customers’ tolerance. It’s based on maintaining a stock buffer at strategic decoupling points, absorbing variability to avoid the bullwhip effect.

DDMRP methodology consists of five sequential components:

1. Strategic inventory positioning: Determine decoupling points where stock buffers can be placed.

2. Buffer profiles and levels: Determine the amount of protection (“shock absorption”) at the decoupling points that’s needed to mitigate variability in both directions. Historical and forecasted usage rates and DDMRP part settings are used to create unique, three-zone, color-coded buffers.

3. Dynamic adjustments: After the initial buffer sizes are determined, allow the level of protection to flex up or down based on factors such as operating parameters, market changes, and known or planned future events.

4. Demand-driven planning: Generate supply orders (purchase orders, manufacturing orders, and stock transfer orders) from qualified (as opposed to planned) sales orders within a short planning horizon. The equation On-Hand + Open Supply Qualified Sales Order Demand determines each day’s net flow position. If the net flow position is below the top of the yellow zone, a supply order is generated for the amount needed to reach the top of the green zone.

chart, funnel chart
From Demand Driven Institute

5. Visible and collaborative execution: Manage open supply orders using intuitive, easily interpreted signals on open supply priorities against the on-hand buffer position. The lower the on-hand level, the higher the risk to maintaining flow and the higher the execution priority. That is, priority is assigned by buffer status, not due date. It’s easy to get an overview of the state of the buffers.

Benefits of Demand Driven Material Requirements Planning

DDMRP has proven benefits across many industries:

Benefit Typical improvements
Improved customer service 97%100% on-time order fulfillment rates
Lead time compression Lead time reductions of more than 80%
Balanced inventory Inventory reductions of 30%45%
Lowest total operating cost Costs related to expedited activity and false signals are largely eliminated
Improved planner productivity Planners see priorities instead of constantly fighting the conflicting messages of MRP
From Demand Driven Institute

Dynamics 365 Supply Chain Management is DDMRP-compliant

Microsoft Dynamics 365 Supply Chain Management is DDMRP-compliant according to the Demand Driven Institute, the leading authority on demand-driven methodologies. To be compliant, software must meet five compliance criteria. By compliant, we mean that Dynamics 365 Supply Chain Management follows the methodology according to the DDMRP industry standards as indicated by the Demand Driven Institute.

How to get started with DDMRP

DDMRP is a new concept for many companies. We suggest you start with a small pilot or simulation involving a subset of items to determine if DDMRP would be valuable for your organization. It’s simple to set up. Just enable Priority Driven MRP support for Planning Optimization and DDMRP for Planning Optimization in Dynamics 365 Supply Chain Management.

Next steps

Sources

Demand Driven Institute. What is DDMRP?

The post Use Demand Driven Material Requirements Planning to increase service and decrease lead time appeared first on Microsoft Dynamics 365 Blog.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Microsoft is a Market Champion in the KuppingerCole Analysts Leadership Compass, Customer Data Platforms

Microsoft is a Market Champion in the KuppingerCole Analysts Leadership Compass, Customer Data Platforms

by | Oct 5, 2022 | Dynamics 365, Microsoft 365, Technology

This article is contributed. See the original author and article here.

We are honored to announce that Microsoft Dynamics 365 Customer Insights was named a Market Champion in the KuppingerCole Analysts Leadership Compass, Customer Data Platforms.

The Leadership Compass report speaks to how a customer data platform (CDP) can help organizations address the challengessiloed data, personalization, multichannel orchestration among themthat they may face when seeking to improve their customer experience. Microsoft’s customers are overcoming these challenges with Dynamics 365 Customer Insights, a recognized product-leading, innovation-leading, and market-leading CDP with comprehensive, powerful capabilities.

One Microsoft customer that is committed to a data-centric approach to its customer experience initiatives is Valencia Club de Ftbol (CF). The club is taking charge of its customer data with Dynamics 365 Customer Insights and using the CDP to help its entire organization usher in a data-driven mindset. As a result, the club is creating more meaningful and personalized fan engagement. As explained by Franco Segarra, Head of Innovation for Valencia CF, “Becoming data-driven helps everyone get more out of their job.”

Three areas of recognized leadership

Microsoft customers like Valencia CF are powering hyper-personalized, delightful customer experiences at scale by embracing the need to have a deep understanding of their customers. They are driving meaningful actions with confidence as a result of recognized leadership of Dynamics 365 Customer Insights in three areas.

1. Product leadership

The functional strengths and complete services of the Microsoft CDP empower you to get the most complete view of your customers by unifying all your customer data with ease. Best-of-breed technologies such as Microsoft Azure Data Lake and Cosmos DB power this innovation at massive scale. Customers can store many hundreds of millions of profiles within a single environment, making the CDP an exceptional powerhouse for end-to-end enterprise marketing stacks.

2. Product innovation

Microsoft customers benefit from ongoing, customer-oriented innovation that helps them meet their evolving and emerging business requirements. We are focused on differentiation and solving customer pain points with both customer-requested enhancements and cutting-edge features. We are also supporting our customers in expanding and accelerating their discovery of insights with out-of-box machine learning templates, as well as support for custom AI/ML models with Microsoft Azure Synapse Analytics. Microsoft customers are benefiting from a limitless analytics solution that significantly reduces their project development time while delivering breakthrough price performance.

3. Market leadership

Microsoft and our extensive ecosystem of more than 7,500 worldwide partners (2022) help customers solve important challenges. Our partners include ISVs building solutions on top of or connecting their solutions to Dynamics 365 and systems integrators providing customizations and integrations for customers’ unique environments. Together, we’re helping customers across industries and around the world grow their businesses by taking full control of their customer data.

We’re delighted to share the news of this recognition of Microsoft as a Market Champion. We agree with KuppingerCole’s assessment that the [Microsoft] “roadmap is ambitious, and the product vision is clear, and are closely linked to overarching activities in the Microsoft ecosystem.” In this unprecedented time of radically shifting consumer behaviors, delivering quality, highly tailored customer experiences is a path to competitive differentiation that can help lead to customer loyalty. Customer Insights is your key to engaging your customers like your business depends on it.

Learn more

To learn more about how Microsoft compared to the other technology providers included in this Leadership Compass, please access the KuppingerCole Leadership Compass, Customer Data Platforms for a complimentary copy of the report.

The post Microsoft is a Market Champion in the KuppingerCole Analysts Leadership Compass, Customer Data Platforms appeared first on Microsoft Dynamics 365 Blog.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Expanding the workforce through greater inclusion

by | Oct 5, 2022 | Technology

This article is contributed. See the original author and article here.

Kim Akers – CVP, MCAPS Enablement and Operations


 


Over the past few years, across every industry, we have seen organizations quickly adjust to challenges and pursue new business opportunities as the pandemic reshaped our world. From health care, to manufacturing, retail and beyond, organizations have had to not only focus on building their own digital capability but hiring talent with proven potential.


 


As more and more organizations seek to fill the nearly 150 million jobs being created by this transformation, it has become acutely clear: talent is everywhere but the opportunity is not. In fact, Covid-19 put a giant spotlight on just how many people have been overlooked for far too long—people of color, women, people with less education. People with disabilities.


 


It’s never been more important to ensure everyone can prove they have the tech skills to take on that new assignment, get that new job or achieve the impossible.


 


With this in mind, and in honor of National Disability Employment Awareness Month, I’m excited to share more detail on how we’re helping to reshape the certification industry to be more inclusive for people with disabilities.


 


Understanding disabilities


For decades, “disability” has focused on mobility, vision, or hearing issues. Yet, 70 percent of disabilities don’t have visible indicators. Examples of non-apparent disabilities include:



  • Learning: Includes difficulty focusing, concentrating, or understanding

  • Mental health: Includes anxiety, bipolar disorder, PTSD, and/or depression

  • Neurodiversity: Includes dyslexia, seizures, autism, or other cognitive differences


 


I am part of that 70% and my experience with dyslexia and dysgraphia helps me have empathy for the variety of challenges faced by the disability community. Especially knowing that having a seen, or unseen, disability can have a tremendous impact on someone’s career and opportunities—especially in an Industry with years of tradition stacked against them.


 


Take for instance Kevin’s story.


 


Kevin is a sales director whose job required him to complete a certification. He was diagnosed with ADHD as a child but thought it had subsided as he grew up. The symptoms re-emerged in adulthood, impacting his life at work.


 


For example, Kevin spent more than 500 hours studying and preparing for a certification test. He didn’t know how to get the accommodations required for success; the process was too complex. He failed the exam several times. This had a cascade effect. Not passing meant he missed his mandatory training goal, resulting in reduced compensation, contributing to increased anxiety at work and at home.


 


“The more we can help people to learn on their terms, the more we can help people take the time that they need and to have the resources they need to succeed,” Kevin says, noting that he passed the exam after receiving proper accommodations.


 


It is painful to read stories like Kevin’s. No one should be left behind because they need additional accommodation while taking a test or anything else. Yet that’s what happens every day.


 


Removing barriers to success, trying new approaches


I believe it’s time to shake things up.


 


We have been listening, researching, and learning how to be more inclusive—this includes reviewing and updating our certification exam accommodations. And just three months ago, we rolled out the first of many exam improvements: testers no longer have to ask before moving around or looking away from the computer during a test. They must simply stay in view of the camera. That will make a big difference for many test takers.


 


We also know seeking an accommodation has historically been complicated and may even require the need to share sensitive, personal information. So, we’ve also made changes like:



  • Making the accommodation application process simpler

  • Removing the documentation requirement for most requests; and when it is required, expanding the list of acceptable documentation and reducing the burden placed on applicants

  • Ensuring proctors understand how to provide accommodations

  • Establishing a Microsoft Certification Accommodations HyperCare support team to support learners who need extra help (msftexamaccom@microsoft.com)


 


For a complete list of accommodations requirements, please visit: Accommodations and associated documentation requirements.


 


Change begins within


Certifications are a proven method for employees and job candidates to stand out in an increasingly competitive industry. I’m thrilled to see the steps taken to ensure our Microsoft Certification program is accessible to all.


 


After all, living with a disability shouldn’t hinder opportunity. Simply put, organizations must go beyond compliance when it comes to accommodations. That includes both offering them and ensuring proctors are properly trained. I’m thrilled that Microsoft is leading the way.


 


Stay tuned, more changes are in the works. I can’t wait to share them with you.


 


Related announcements


Improvements to the Exam Accommodation Process

Microsoft is a Market Champion in the KuppingerCole Analysts Leadership Compass, Customer Data Platforms

Your guide to Dynamics 365 at Microsoft Ignite 2022

by | Oct 5, 2022 | Dynamics 365, Microsoft 365, Technology

This article is contributed. See the original author and article here.

Microsoft Ignite returns live next weeka digital and in-person event in Seattle, Washington on Wednesday, October 12, and Thursday, October 13. Register today for two content-packed days where you’ll explore the future of Microsoft Dynamics 365 and Microsoft Power Platform and join other technologists in immersive learning experiences, product demos, breakout sessions, and expert meet-ups.

This year, the Dynamics 365 and Power Platform teams will showcase new and upcoming capabilities as well as demonstrate how your organization can make the most of AI and automation to streamline business processes, enhance collaboration, and improve customer and employee experiences.

Register now for the in-person or digital event. The free digital event will be the foundation of Microsoft Ignite this year, offering hours of sessions and interactive learning, Q&As with experts, live discussions, roundtables, and much more, all streaming live and on-demand, at no cost.  

Dynamics 365 at Microsoft Ignite: Essential sessions and activities

To help you plan your experience from the variety of sessions and activities, we’ve compiled some essential presentations, sessions, and viewing tips. Click the linked titles to learn more and add each event to your session scheduler.

Ignite opening keynote

Wednesday, October 12 | 9:00 AM9:50 AM Pacific Time

Join the opening keynote, hosted by Microsoft CEO Satya Nadella, for an overview of innovations that will shape the future of business.

Core Theme Session

Wednesday, October 12 | 11:00 AM11:30 AM Pacific Time
Deliver efficiency with automation and AI across your business

Learn how organizations across industries are applying AI, automation, and mixed reality to streamline business processes, enhance collaboration, and improve customer and employee experiences. You’ll get a first-hand look at how products like Microsoft Viva Sales, Microsoft Digital Contact Center Platform, and Microsoft Power Platform rapidly enable AI and automation with modern capabilities.

Into Focus

Wednesday, October 12 | 3:00 PM3:40 PM Pacific Time
Business Applications Into Focus: Biz Apps 2022 Release Wave 2 Launch

Don’t miss this first look at the new Dynamics 365 and Power Platform innovations coming to market. We’ll debut new technologies not previously announced, as well as give you a first look at innovations in release wave 2features that are planned for release between October 2022 and March 2023. We’ll also spotlight organizations that will use these new technologies to drive better operational outcomes and customer success.

Dynamics 365 breakout sessions

After the keynote, learn what’s new and on the horizon for Dynamics 365 in these featured sessions:

Wednesday, October 12 | 11:05 AM11:30 AM Pacific Time
Re-energize your workforce in the office, at home, and everywhere in between

In today’s shifting macroeconomic climate, technology can help organizations in every industry overcome challenges and emerge stronger. From enabling hybrid work to bringing business processes into the flow of work, learn how Microsoft 365 helps organizations deliver on their digital imperative, so they can “do more with less.”

Wednesday, October 12 | 2:00 PM2:30 PM Pacific Time
Jumpstart your physical operations transformation with technologies built for the industrial metaverse

Explore what the industrial metaverse means today and where the technology is headed. From autonomous automation to connected field service and mixed reality to digitization of connected environments, we’ll showcase a maturity model that you can use to guide your implementation over time while solving business challenges each step of the way. We’ll also share how innovative customers are using this technology now to secure a competitive edge and build for the future.

Wednesday, October 12 | 12:00 PM12:40 PM Pacific Time
Microsoft Viva: Latest innovations and roadmap for the new digital employee experience

Hybrid work presents new challenges for engaging, motivating, and growing a workforce. IT leaders and human resources (HR) leaders have an opportunity to partner on a more advanced digital experience to support various ways of working. We’ll explore how Viva puts people at the center, connecting them to company information, communications, workplace insights, knowledge, and learning. Product leadership will share the latest innovations from Viva to prepare your organization for the new digital employee experience, today. 

Wednesday, October 12 | 12:00 PM12:35 PM Pacific Time
Unlock new customer experiences with NLP at scale

Organizations around the world use Microsoft’s natural language processing (NLP) capabilities to simplify tasks and support human connection, from helping employees better understand customer needs to helping customers find information more quickly. Learn why technology leaders are doubling down on NLP, and get a deeper understanding of NLP capabilities available across Dynamics 365 and Microsoft Azure Cognitive Services that can help transform customer and employee engagement at scale.

Wednesday, October 12 | 2:00 PM2:30 PM Pacific Time
Create rich connections and customer experiences with Microsoft Teams Phone and contact center capabilities

Staying connected with colleagues, partners, and customers is more important than ever. Join us to learn how Teams Phone and contact center capabilities for Teams can create richer communications while helping organizations turn customer service into a team sport. We’ll share the latest updates on our mobility innovation and discuss how organizations are using Teams Phone enterprise-grade calling.

Attend live or watch on-demand

In addition to the live streams above, each segment will be rebroadcasted throughout the event. The key segments are open to everyone, but we encourage you to register in advance to unlock the full Microsoft Ignite experiencefrom digital breakout sessions with live Q&As to conversations with Microsoft experts and your global community.

More to explore

Microsoft Ignite will include live segments and Q&As, available across time zones. Check out all of the events and activities hosted by our team of experts:

  • Ask the Experts: An opportunity to ask questions at sessions with experts in cloud, desktop, mobile, and web development for specific guidance on your project or interests. 
  • Table Topics: A live discussion with the community on camera and in chat. Get inspired by community experts,learn best practices, and share helpful resources with other attendees. 
  • Local Connections: An opportunity to engage with attendees local to you, no matter where you are in the world. Dedicated time to help find developers, Microsoft experts, and partners with similar interests in your area. 
  • Learn Live: Guided online content with subject matter experts to direct you through Microsoft Learn modules that you can complete on your own at any time. 
  • Product Roundtables: Two-way discussions direct with Microsoft engineering. 
  • Cloud Skills Challenge: A collection of interactive, online learning modules to complete for a chance to earn a free certification exam. 
  • One-to-One Consultations: A unique opportunity to connect with an expert during the event to get the technical answers you need. These 45-minute sessions provide the event’s only one-to-one setting.

Get the most of your Microsoft Ignite experience

Be sure to follow Microsoft Ignite on LinkedIn and Twitter to stay up to date and connected with the community, and register for Microsoft Ignite today.

The post Your guide to Dynamics 365 at Microsoft Ignite 2022 appeared first on Microsoft Dynamics 365 Blog.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

FBI and CISA Publish a PSA on Malicious Cyber Activity Against Election Infrastructure

by | Oct 5, 2022 | Security, Technology

This article is contributed. See the original author and article here.

The Federal Bureau of Investigation (FBI) and CISA have published a joint public service announcement that:

  • Assesses malicious cyber activity aiming to compromise election infrastructure is unlikely to result in large-scale disruptions or prevent voting.
  • Confirms “the FBI and CISA have no reporting to suggest cyber activity has ever prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast, or affected the accuracy of voter registration information.”

The PSA also describes the extensive safeguards in place to protect election infrastructure and includes recommendations for protecting against election-related cyber threats.