Don’t click on that random text. It’s a scam
This article was originally posted by the FTC. See the original article here.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Ten Azure networking tips that may simplify your life
This article is contributed. See the original author and article here.
Hi,
Azure networking can sometimes give headaches. Here are a few tips which may make your life easier.
1. Private link effect – episode 1 – route tables
When enabling Azure Private Link for a given resource, say a Storage Account, you may end up with the following configuration
where you have routed all traffic to Azure Firewall (or an NVA) and noticed that the VM (or anything else) is directly connecting to the private endpoint, bypassing the firewall…This might come as a surprise to you but this is due to the fact that whenever you enable private link for a given resource, a direct (more specific) route is propagated to the underlying NICs. In the above example, Azure will write the 10.1.5.4/32 route to the NIC(s) of the VM pointing directly to the InterfaceEndpoint of the resource. Because this route is more specific than 0.0.0.0/0, the firewall will be bypassed. To overcome this, you have to write a /32 route to the subnet’s route table to overwrite the one written by Azure, which can be itself challenging because of the 400 routes limit per route table. Microsoft wrote a good guidance on that topic.
2. Private link effect – episode 2 – route tables
Ok, now you think you understood private link routing, right? So what about this?
You thought Azure was pushing a route to underlying NICs but you realize that the VM in VNET 3 does not have such a route…Why is that? Well, it makes sense but you do not especially think about it. The reason why VNET 3’s VM does not get the route is because VNET 3 is not peered with VNET 1. Because peering is non-transitive, writing such a route would anyway lead to a dead-end. So, if you had a 0.0.0.0/0 UDR on VNET 3’s subnet, this would this time be correctly routed to the firewall…So as you guessed it, if you put a private endpoint in an intermediate VNET:
this time, the /32 route is propagated to all peered VNETs. Long story short, putting private endpoints into the hub, would propagate into every spoke, and thus, you’d better follow the guidance if you want to route that to the firewall.
3. Private link effect episode 3 – Network Security Groups
Ok great, that’s for routing but fortunately, we don’t have to worry about NSGs. Well…
How come VM2 is able to connect to my private endpoint??? My deny all rule should have kicked in..What’s going on here? Well, for the same reason as before, the InterfaceEndpoint is non-sensitive to NSGs. So, you must make sure to route things correctly to make sure, the InterfaceEndpoint is not used.
4. Private link effect episode 4 – forget the first 3 episodes?
Well, I’m sorry for you if you read the first 3 episodes because all of that is *almost* part of the past…but you will surely still likely see this for quite a while. Microsoft has revamped the way private link works, and there is a preview (UDR) and preview (NSG) available (not in all regions), which allows you to deal with private link traffic, like with any other type of traffic, but meanwhile, you’d better still understand how it currently works :).
5. Private link and outbound traffic
Repeat after me:
– Private link is inbound traffic only
– Private link is inbound traffic only
– Private…(well you got it, right?)
I still see a huge confusion with many folks about private link, where people think that enabling private link for an app service, APIM, etc. will give them access to the resources sitting in a given VNET. That is wrong, to gain access to such resources, you have to focus on outbound traffic, not inbound!
6. Private link and public traffic
Remember one rule of thumb: private link does not automatically deny public traffic for all services. It does for some but not for all. So, remember to always double-check that public traffic is indeed correctly denied.
7. The propagate gateway routes effect
Whenever you establish private connectivity between your datacenter and Azure, you will use the hub vnet to bridge both worlds. You’re likely going to have (not mandatory) a VPN Gateway to establish a S2S and/or Expressroute connection. From there on, each spoke VNET should be able to connect to your on-premises systems and vice-versa. You, of course, want to make sure, traffic is routed through your firewall. If you encounter a different behavior (traffic directly flying from on-prem to spoke and vice versa), you’re likely forgot to deactivate the “propagate gateway routes” property of the route table.
So, make sure to turn it off :).
8. The Kubenet effect of NSGs
Many companies struggle to decide whether they want to implement Azure CNI (now BYO CNI is available) or Kubenet for their AKS clusters. The main reason is the shortage of IP addresses. Kubenet is IP-friendly because it only allocates IPs to nodes, while CNI allocates one IP per pod, which results in many more consumed IPs. You can use Kubenet if you’re willing to fully embrace a programmable network approach such as the use of Service Meshes and internet Network Policies (Calico for ex. which also works with Kubenet). However, if you plan to rely on Azure networking capabilities, such as using NSGs and the likes, then you’d better switch to CNI. Consider the following scenario:
where you want to share the same cluster for multiple tenants but you want to isolate tenants in their own node pool. So, in the above scenario, you only want system to be able to connect to tenants but tenant 1 and tenant 2 cannot talk together. You do not trust logical isolation (K8s network policies & service meshes) and want to rule this with Network Security Groups instead, or even combine both. Easy, you simply add the following inbound rules to tenant 1 & tenant 2’s NSGs:
– Priority: 100 – source IP: 10.0.0.0/28 destination: * – ALLOW (let’s skip the ports for sake of simplicity)
– Priority: 110 – source IP: * destination: * – DENY
So, that way, this should fly…Well, it appears that this won’t fly at all. Why is that? Because Kubenet makes use of network address translation (NAT) to allocate POD CIDRs dynamically, and what the NSGs see are not the subnet ranges but the POD CIDRs…, which can change at any time. Indeed, Azure constantly rewrites the route table associated to the subnets to map POD CIDRs with nodes, whenever the cluster restarts or whenever a node gets added/removed to/from a node pool. Therefore, you can’t predict how this allocation will be done, which defeats the use of NSGs to rule internal traffic. Of course, you could still use them to rule what comes from outside.
9. Localhost in APIM policies
Did you know that you can use the keyword localhost in APIM policies? If you have a set of APIs and want APIM to let them call each other while never leaving the boundaries of APIM itself (not resolve again the IP through the DNS), you can use localhost…
10. The troubleshooting tool
Whenever you encounter a network issue in Azure, I recommend you to use Network Watcher and more specifically, its next hop feature. It helped me already a few times figure out what was misconfigured.
MTC Weekly Roundup – August 5
This article is contributed. See the original author and article here.
Hello hello, MTC! The first week of August is in the books, so let’s see what went down in the Community.
MTC Moments of the Week
We had a great AMA in the Community this week that focused on Azure Deployments, featuring @Mark Gray, @adotfrank, @stephanieyen, and @stevenjma with @Eric Starker moderating. As a quick reminder, an AMA is a live text-based online event similar to a “YamJam” on Yammer or an “Ask Me Anything” on Reddit, and there is no audio or video component at this time.
Over on the blogs, @lucyhitz announced the general availability of Microsoft Viva Goals, “a goal-setting and management solution that aligns teams to your organization’s strategic priorities, driving results and a thriving business.” Head over to the post to watch an overview and learn more!
We also want to give a shoutout this week to @ScottLamond, a new MTC’er, for providing several helpful responses in the Excel Community! Welcome and keep being awesome! :)
Unanswered Questions – Can you help them out?
Every week, users come to the MTC seeking guidance or technical support for their Microsoft solutions, and we want to help highlight a few of these each week in the hopes of getting these questions answered by our amazing community!
@Jenny_Bruce is seeking advice from the Community about compliance policies and document version history limits in SharePoint Online.
Meanwhile, @JohnHogan20224k is encountering an error in the Microsoft 365 admin center having to do with Teams for Organization, so maybe you can help figure out what’s causing it.
Next Week – Mark your calendars!
Lastly, we have no events next week, but check back soon for updates!
Have a great weekend, everyone!
Share data with Microsoft Purview for Azure storage with private endpoints or VNET restrictions
This article is contributed. See the original author and article here.
This is a follow-up post on a recently published article on sharing data in near real-time with Microsoft Purview in-place data sharing for Azure Storage. I highly encourage you to read Share data near real-time with Microsoft Purview in-place data sharing for Azure Storage first before you pore over this article on how to share Azure storage solutions such as Azure Blob Storage and Azure Data Lake Gen2 with VNET traffic restrictions or even with no public endpoints i.e. private endpoints only.
Now, using Microsoft Purview in place data share you can also create shares that can connect to Azure storage PaaS such as blob storage and data lake storage with VNET restrictions and to further up the ante – even with storage accounts with no public endpoints.
This is a critical feature that has been made available only in Microsoft Purview data share and is not part of the standalone Azure data share services.
In this article, I will present a few quick pointers and considerations that you have to know before you get started with Purview data sharing using restricted Azure storage accounts.
Premise – Share data with Microsoft Purview for Azure storage with private endpoints or VNET restrictions.
Solution – In a nutshell, with Purview private endpoints i.e. account, ingestion, and portal (being optional) you can deliver new data shares while connecting to storage accounts with VNET restrictions and/or no public endpoint i.e. private endpoints only. This assumes that the private endpoint for the storage account and purview are created in the same VNET or, this is created in a networking landing zone in case you follow the learnings of the enterprise scale landing zone.
Here’s a quick overview of key steps which will help you set up a data share with restricted storage accounts –
Step 1 – Create purview private endpoints i.e. account, ingestion, and portal (being optional). This is required for private connectivity between Purview and target storage accounts. This is a required step regardless of how the storage account is configured i.e. with VNET restrictions or with no public endpoint.
You can create the private endpoints in the same VNET i.e. of storage account or in a dedicated VNET which may be part of your networking scaffold in the enterprise scale landing zone. Make sure the different networks i.e. Purview VNET and storage account VNET is peered if you were to follow this topology.
You can also learn more about this configuration here – Connect to your Microsoft Purview to data sources privately and securely
Here’s a quick overview of a typical Purview deployment with private endpoints enabled.
Step 2 – Depending on the storage account networking configuration, let’s break this section into 2 sub parts –
#1 Deliver data share from a storage account with VNET restrictions
This setup assumes that you have storage accounts with VNET restrictions and in-bound traffic from only selected VNET’s are permitted. In this case, you can create Purview endpoints in the same VNET as of storage account or in a separate VNET as long as both are peered.
You can read more about this configuration here – Configure Azure Storage firewalls and virtual networks
#2 Deliver data share from a storage account with private endpoints only
This setup assumes that you have storage accounts with no public endpoints and the only way an application can communicate is via private endpoints only. In this case, you will have to create private endpoints for the storage account in a VNET which is accessible by Purview via ingestion private endpoints. So, this can be done in the same VNET as Purview ingestion private endpoints or in a VNET that is accessible and peered to Purview private endpoints in case of enterprise scale landing zone.
If you create a private endpoint for the Data Lake Storage Gen2 storage resource, then you should also create one for the Blob storage resource. That’s because operations that target the Data Lake Storage Gen2 endpoint might be redirected to the Blob endpoint. By creating a private endpoint for both resources, you ensure that operations can complete successfully.
You can read more about this configuration here – Use private endpoints – Azure Storage
Step 3 (optional) – I always recommend running nslookup for querying the Domain Name System (DNS) records to obtain the mapping between domain name and IP address. The expectation here is that the name resolution for the storage account and Purview endpoints should return their respective private IP addresses.
If you have followed these steps, with appropriate permissions on the storage account via RBAC’s you can then deliver new data shares with your consumer groups with restricted storage accounts which earlier was not possible using Azure data share.
My objective for this post was to introduce you to how you can connect and deliver share with storage accounts that have network restrictions such as VNET restrictions and private endpoints only. Hence, I would not talk about the user journey or customer experience regarding how to create and manage a share. I encourage you to read our post on this subject at How to share data – Microsoft Purview.
CISA Adds One Known Exploited Vulnerability to Catalog
This article is contributed. See the original author and article here.
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column, which will sort by descending dates.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the specified criteria.
2021 Top Malware Strains
This article is contributed. See the original author and article here.
Agent Tesla
alert any any -> any any (msg:”HTTP GET request /aw/aw.exe”; flow:established,to_server; sid:1; rev:1; content:”GET”; http_method; content:”/aw/aw.exe”; http_uri; reference:url, https://www.datto.com/blog/what-is-agent-tesla-spyware-and-how-does-it-work; metadata:service http;)
AZORult
alert tcp any any -> any any (msg:”HTTP Server Content Data contains ‘llehS|2e|tpircSW'”; sid:1; rev:1; flow:established,from_server; file_data; content:”llehS|2e|tpircSW”; nocase; fast_pattern:only; pcre:”/GCM(?:x20|%20)*W-O*/i”; reference:url,maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/; metadata:service http;)
AZORult
alert tcp any any -> any any (msg:”HTTP POST Client Body contains ‘J/|fb|’ and ‘/|fb|'”; sid:1; rev:1; flow:established,to_server; content:”POST”; http_method; content:”.php”; http_uri; content:”J/|fb|”; http_client_body; fast_pattern; content:”/|fb|”; http_client_body; depth:11; content:!”Referer|3a 20|”; http_header; metadata:service http;)
FormBook
alert tcp any any -> any any (msg:”HTTP URI POST contains ‘&sql=1’ at the end”; sid:1; rev:1; flow:established,to_server; content:”&sql=1″; http_uri; fast_pattern:only; content:”POST”; http_method; pcre:”/(?(DEFINE)(?’b64std'[a-zA-Z0-9+/=]+?))(?(DEFINE)(?’b64url'[a-zA-Z0-9_-]+?))^/[a-z0-9]{3,4}/?(?P>b64url){3,8}=(?P>b64std){40,90}&(?P>b64url){2,6}=(?P>b64url){4,11}&sql=1$/iU”; reference:url,www.malware-traffic-analysis.net/2018/02/16/index.html; metadata:service http;)
alert tcp any any -> any any (msg:”HTTP URI GET/POST contains ‘/list/hx28/config.php?id='”; sid:1; rev:1; flow:established,to_server; content:”/list/hx28/config.php?id=”; http_uri; fast_pattern:only; content:”Connection|3a 20|close|0d 0a|”; http_header; reference:url,www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html; metadata:service http;)
Ursnif
alert tcp any any -> any any (msg:”HTTP POST Data contains .bin filename, long URI contains ‘/images/'”; sid:1; rev:1; flow:established,to_server; urilen:>60,norm; content:”/images/”; http_uri; depth:8; content:”POST”; nocase; http_method; content:”Content-Disposition|3a 20|form-data|3b 20|name=|22|upload_file|22 3b 20|filename=|22|”; http_client_body; content:”|2e|bin|22 0d 0a|”; http_client_body; distance:1; within:32; fast_pattern; reference:url,www.broadanalysis.com/2016/03/23/angler-ek-sends-data-stealing-payload/; metadata:service http;)
alert tcp any any -> any any (msg:”HTTP URI GET/POST contains ‘/images/’ plus random sub directories and an Image File (Ursnif)”; sid:1; rev:1; flow:established,to_server; content:”/images/”; http_uri; fast_pattern:only; content:!”Host: www.urlquery.net”; http_header; pcre:”//images(/(?=[a-z0-9_]{0,22}[A-Z][a-z0-9_]{0,22}[A-Z])(?=[A-Z0-9_]{0,22}[a-z])[A-Za-z0-9_]{1,24}){5,20}/[a-zA-Z0-9_]+.(?:gif|jpeg|jpg|bmp)$/U”; metadata:service http)
LokiBot
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘User-Agent|3a 20|Mozilla/4.08 (Charon|3b| Inferno)'”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|Mozilla/4.08 (Charon|3b| Inferno)|0d 0a|”; http_header; fast_pattern:only; metadata:service http; )
LokiBot
alert tcp any any -> any any (msg:”HTTP URI POST contains ‘/*/fre.php’ post-infection”; sid:1; rev:1; flow:established,to_server; content:”/fre.php”; http_uri; fast_pattern:only; urilen:<50,norm; content:”POST”; nocase; http_method; pcre:”//(?:alien|lokyd|donep|jemp|lokey|new2|loki|Charles|sev7n|dbwork|scroll/NW|wrk|job|fived?|donemy|animationdkc|love|Masky|vd|lifetn|Ben)/fre.php$/iU”; metadata:service http;)
LokiBot
alert tcp any any -> any any (msg:”HTTP URI POST contains ‘/w.php/'”; sid:1; rev:1; flow:established,to_server; content:”/w.php/”; http_uri; fast_pattern:only; content:”POST”; nocase; http_method; pcre:”//w+/w.php/[a-z]{13}$/iU”; metadata:service http;)
MOUSEISLAND
alert tcp any any -> any any (msg:”HTTP URI GET contains ‘/assets/<8-80 hex>/<4-16 alnum>?<3-6 alnum>='”; sid:9206287; rev:1; flow:established,to_server; content:”/assets/”; http_uri; fast_pattern:only; content:”HTTP/1.1|0d 0a|”; depth:256; content:!”|0d 0a|Cookie:”; content:!”|0d 0a|Referer:”; pcre:”//assets/[a-fA-F0-9/]{8,80}/[a-zA-Z0-9]{4,16}?[a-z0-9]{3,6}=/U”; metadata:service http;)
NanoCore
alert tcp any any -> any 25 (msg:”SMTP Attachment Filename ‘Packinglist-Invoice101.pps'”; sid:1; rev:1; flow:established,to_server,only_stream; content:”Content-Disposition|3a 20|attachment|3b|”; content:”Packinglist-Invoice101.pps”; nocase; distance:0; fast_pattern; pcre:”/Content-Dispositionx3ax20attachmentx3b[x20trn]+?(?:file)*?name=x22*?Packinglist-Invoice101.ppsx22*?/im”; reference:cve,2014-4114; reference:msb,MS14-060; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_Sight-Body-FINAL.pdf; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_Sight-Appendix-FINAL.pdf;)
NanoCore
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘Host|3a 20|frankief hopto me’ (GenericKD/Kazy/NanoCore/Recam)”; sid:1; rev:1; flow:established,to_server; content:”Host|3a 20|frankief|2e|hopto|2e|me|0d 0a|”; http_header; fast_pattern:only; metadata:service http;)
NanoCore
alert tcp any any -> any any (msg:”HTTP GET URI contains ‘FAD00979338′”; sid:1; rev:1; flow:established,to_server; content:”GET”; http_method; content:”getPluginName.php?PluginID=FAD00979338″; fast_pattern; http_uri; metadata:service http;)
Qakbot
alert tcp any any -> any any (msg:”HTTP URI GET /t?v=2&c= (Qakbot)”; sid:1; rev:1; flow:established,to_server; content:”/t?v=2&c=”; http_uri; depth:9; fast_pattern; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf;)
Qakbot
alert tcp any any -> any 21 (msg:”Possible FTP data exfiltration”; sid:1; rev:1; flow:to_server,established; content:”STOR si_”; content:”.cb”; within:50; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/analysis/; metadata:service ftp-ctrlchan;)
Qakbot
alert tcp any any -> any any (msg:”Malicious executable download attempt”; sid:1; rev:1; flow:to_client,established; file_type:MSEXE; file_data; content:”|52 DB 91 CB FE 67 30 9A 8E 72 28 4F 1C A9 81 A1 AA BE AC 8D D9 AB E4 15 EF EA C6 73 89 9F CF 2E|”; fast_pattern:only; reference:url,virustotal.com/#/file/ad815edc045c779628db3a3397c559ca08f012216dfac4873f11044b2aa1537b/detection; metadata:service http;)
Qakbot
alert tcp any any -> any any (msg:”HTTP POST URI contains ‘odin/si.php?get&'”; sid:1; rev:1; flow:to_server,established; content:”/odin/si.php?get&”; fast_pattern:only; http_uri; content:”news_slist”; http_uri; content:”comp=”; http_uri; reference:url,www.virustotal.com/en/file/478132b5c80bd41b8c11e5ed591fdf05d52e316d40f7c4abf4bfd25db2463dff/analysis/1464186685/; metadata:service http;)
Qakbot
alert tcp any any -> any any (msg:”HTTP URI contains ‘/random750x750.jpg?x='”; sid:1; rev:1; flow:to_server,established; content:”/random750x750.jpg?x=”; fast_pattern:only; http_uri; content:”&y=”; http_uri; content:”Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0d 0a|”; http_header; content:”Cache-Control|3a 20|no-cache|0d 0a|”; http_header; content:!”Accept-“; http_header; content:!”Referer”; http_header; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; metadata:service http;)
Qakbot
alert tcp any any -> any any (msg:”HTTP URI contains ‘/datacollectionservice.php3′”; sid:1; rev:1; flow:to_server,established; content:”/datacollectionservice.php3″; fast_pattern:only; http_uri; metadata:service http;)
Qakbot
alert tcp any any -> any any (msg:”HTTP header contains ‘Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0d 0a|'”; sid:1; rev:1; flow:to_server,established; urilen:30<>35,norm; content:”btst=”; http_header; content:”snkz=”; http_header; content:”Accept|3a 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0d 0a|”; fast_pattern:only; http_header; content:”Cache-Control|3a 20|no-cache|0d 0a|”; http_header; content:!”Connection”; http_header; content:!”Referer”; http_header; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; metadata:service http;)
Qakbot
alert tcp any any -> any 21 (msg:”Possible ps_dump FTP exfil”; sid:1; rev:1; flow:to_server,established; content:”ps_dump”; fast_pattern:only; pcre:”/ps_dump_[^_]+_[a-z]{5}d{4}x2Ekcb/smi”; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service ftp;)
Qakbot
alert tcp any any -> any 21 (msg:”Possible seclog FTP exfil”; sid:1; rev:1; flow:to_server,established; content:”seclog”; fast_pattern:only; pcre:”/seclog_[a-z]{5}d{4}_d{10}x2Ekcb/smi”; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service ftp;)
Qakbot
alert tcp any any -> any any (msg:”HTTP URI contains ‘/cgi-bin/jl/jloader.pl'”; sid:1; rev:1; flow:to_server,established; content:”/cgi-bin/jl/jloader.pl”; fast_pattern:only; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;)
Qakbot
alert tcp any any -> any any (msg:”HTTP URI contains ‘/cgi-bin/clientinfo3.pl'”; sid:1; rev:1; flow:to_server,established; content:”/cgi-bin/clientinfo3.pl”; fast_pattern:only; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;)
Qakbot
alert tcp any any -> any any (msg:”HTTP URI contains ‘/u/updates.cb'”; sid:1; rev:1; flow:to_server,established; content:”/u/updates.cb”; fast_pattern:only; http_uri; pcre:”/^Hostx3A[^rn]+((upd+)|(adserv))/Hmi”; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; metadata:service http;)
Qakbot
alert tcp any any -> any any (msg:”HTTP response content contains ‘|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 4C 6F 61 64 52 65 73 6F 75 72 63 65 28 29 20 66 61 69 6C 65 64|'”; sid:1; rev:1; flow:to_client,established; file_data; content:”|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 4C 6F 61 64 52 65 73 6F 75 72 63 65 28 29 20 66 61 69 6C 65 64|”; fast_pattern:only; content:”|47 65 74 46 69 6C 65 46 72 6F 6D 52 65 73 6F 75 72 63 65 73 28 29 3A 20 43 72 65 61 74 65 46 69 6C 65 28 29 20 66 61 69 6C 65 64|”; content:”|52 75 6E 45 78 65 46 72 6F 6D 52 65 73 28 29 20 73 74 61 72 74 65 64|”; content:”|73 7A 46 69 6C 65 50 61 74 68 3D|”; content:”|5C 25 75 2E 65 78 65|”; reference:url,www.virustotal.com/en/file/23e72e8b5e7856e811a326d1841bd2ac27ac02fa909d0a951b0b8c9d1d6aa61c/analysis; metadata:service ftp-data,service http;)
Qakbot
alert tcp any any -> any any (msg:”HTTP POST URI contains ‘v=3&c='”; sid:1; rev:1; flow:to_server,established; content:”/t”; http_uri; content:”POST”; http_method; content:”v=3&c=”; depth:6; http_client_body; content:”==”; within:2; distance:66; http_client_body; reference:url,www.virustotal.com/en/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/analysis/; metadata:service http;)
Qakbot
alert tcp any any -> any any (msg:”HTTP URI GET contains ‘/<alpha>/595265.jpg'”; sid:1; rev:1; flow:established,to_server; content:”/595265.jpg”; http_uri; fast_pattern:only; content:”GET”; nocase; http_method; pcre:”/^/[a-z]{5,15}/595265.jpg$/U”; reference:url,www.virustotal.com/gui/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/detection; metadata:service http;)
Remcos
alert tcp any any -> any any (msg:”Non-Std TCP Client Traffic contains ‘|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|’ (Checkin #23)”; sid:1; rev:1; flow:established,to_server; dsize:<700; content:”|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|”; depth:11; fast_pattern; content:”|da b1|”; distance:2; within:2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/analysis-new-remcos-rat-arrives-via-phishing-email/; reference:url,isc.sans.edu/forums/diary/Malspam+using+passwordprotected+Word+docs+to+push+Remcos+RAT/25292/; reference:url,www.malware-traffic-analysis.net/2019/09/03/index.html; reference:url,www.malware-traffic-analysis.net/2017/10/27/index.html;)
TrickBot
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘host|3a 20|tpsci.com'”; sid:1; rev:1; flow:established,to_server; content:”host|3a 20|tpsci.com”; http_header; fast_pattern:only; metadata:service http;)
TrickBot
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘User-Agent|3a 20|*Loader'”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|”; http_header; content:”Loader|0d 0a|”; nocase; http_header; distance:0; within:24; fast_pattern; metadata:service http;)
TrickBot
alert udp any any <> any 53 (msg:”DNS Query/Response onixcellent com (UDP)”; sid:1; rev:1; content:”|0B|onixcellent|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; priority:1; metadata:service dns;)
TrickBot
alert tcp any any -> any any (msg:”SSL/TLS Server X.509 Cert Field contains ‘C=XX, L=Default City, O=Default Company Ltd'”; sid:1; rev:2; flow:established,from_server; ssl_state:server_hello; content:”|31 0b 30 09 06 03 55 04 06 13 02|XX”; nocase; content:”|31 15 30 13 06 03 55 04 07 13 0c|Default City”; nocase; content:”|31 1c 30 1a 06 03 55 04 0a 13 13|Default Company Ltd”; nocase; content:!”|31 0c 30 0a 06 03 55 04 03|”; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)
TrickBot
alert tcp any any -> any any (msg:”SSL/TLS Server X.509 Cert Field contains ‘C=AU, ST=Some-State, O=Internet Widgits Pty Ltd'”; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:”|31 0b 30 09 06 03 55 04 06 13 02|AU”; content:”|31 13 30 11 06 03 55 04 08 13 0a|Some-State”; distance:0; content:”|31 21 30 1f 06 03 55 04 0a 13 18|Internet Widgits Pty Ltd”; distance:0; fast_pattern; content:”|06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff|”; reference:url,www.virustotal.com/gui/file/e9600404ecc42cf86d38deedef94068db39b7a0fd06b3b8fb2d8a3c7002b650e/detection; metadata:service ssl;)
TrickBot
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘boundary=Arasfjasu7′”; sid:1; rev:1; flow:established,to_server; content:”boundary=Arasfjasu7|0d 0a|”; http_header; content:”name=|22|proclist|22|”; http_header; content:!”Referer”; content:!”Accept”; content:”POST”; http_method; metadata:service http;)
TrickBot
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘User-Agent|3a 20|WinHTTP loader/1.'”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|WinHTTP loader/1.”; http_header; fast_pattern:only; content:”.png|20|HTTP/1.”; pcre:”/^Hostx3ax20(?:d{1,3}.){3}d{1,3}(?:x3ad{2,5})?$/mH”; content:!”Accept”; http_header; content:!”Referer|3a 20|”; http_header; metadata:service http;)
TrickBot
alert tcp any any -> any any (msg:”HTTP Server Header contains ‘Server|3a 20|Cowboy'”; sid:1; rev:1; flow:established,from_server; content:”200″; http_stat_code; content:”Server|3a 20|Cowboy|0d 0a|”; http_header; fast_pattern; content:”content-length|3a 20|3|0d 0a|”; http_header; file_data; content:”/1/”; depth:3; isdataat:!1,relative; metadata:service http;)
TrickBot
alert tcp any any -> any any (msg:”HTTP URI POST contains C2 Exfil”; sid:1; rev:1; flow:established,to_server; content:”Content-Type|3a 20|multipart/form-data|3b 20|boundary=——Boundary”; http_header; fast_pattern; content:”User-Agent|3a 20|”; http_header; distance:0; content:”Content-Length|3a 20|”; http_header; distance:0; content:”POST”; http_method; pcre:”/^/[a-z]{3}d{3}/.+?.[A-F0-9]{32}/d{1,3}//U”; pcre:”/^Hostx3ax20(?:d{1,3}.){3}d{1,3}$/mH”; content:!”Referer|3a|”; http_header; metadata:service http;)
TrickBot
alert tcp any any -> any any (msg:”HTTP URI GET/POST contains ‘/56evcxv'”; sid:1; rev:1; flow:established,to_server; content:”/56evcxv”; http_uri; fast_pattern:only; metadata:service http;)
TrickBot
alert icmp any any -> any any (msg:”ICMP traffic conatins ‘hanc'”; sid:1; rev:1; itype:8; icode:0; dsize:22; content:”hanc”; depth:4; fast_pattern; pcre:”/hanc[0-9a-f]{16}../i”; reference:url,labs.sentinelone.com/anchor-project-for-trickbot-adds-icmp/;)
TrickBot
alert tcp any any -> any any (msg:”HTTP Client Header contains POST with ‘host|3a 20|*.onion.link’ and ‘data='”; sid:1; rev:1; flow:established,to_server; content:”POST”; nocase; http_method; content:”host|3a 20|”; http_header; content:”.onion.link”; nocase; http_header; distance:0; within:47; fast_pattern; file_data; content:”data=”; distance:0; within:5; metadata:service http;)
TrickBot
alert tcp any 80 -> any any (msg:”Non-Std TCP Client Traffic contains PowerView Script Download String”; sid:1; rev:1; flow:established,from_server; content:”PowerView.ps1″; content:”PSReflect/master/PSReflect.psm1″; fast_pattern:only; content:”function New-InMemoryModule”; metadata:service else-ports;)
TrickBot
alert tcp any any -> any 445 (msg:”Non-Std TCP Client SMB Traffic contains ‘44783m8uh77g818_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl'”; sid:1; rev:1; flow:established,to_server; content:”44783m8uh77g818_nkubyhu5vfxxbh878xo6hlttkppzf28tsdu5kwppk_11c1jl”; fast_pattern:only; metadata:service netbios-ssn,service and-ports;)
TrickBot
alert tcp any any -> any [80,443,8082] (msg:”Non-Std TCP Client Traffic contains ‘–aksgja8s8d8a8s97′”; sid:1; rev:1; flow:established,to_server; content:”–aksgja8s8d8a8s97″; fast_pattern:only; content:”name=|22|proclist|22|”; metadata:service else-ports;)
TrickBot
alert tcp any any -> any any (msg:”HTTP Client Header contains ‘User-Agent|3a 20|WinHTTP loader/1.0′”; sid:1; rev:1; flow:established,to_server; content:”User-Agent|3a 20|WinHTTP loader/1.0|0d 0a|”; http_header; fast_pattern:only; pcre:”//t(?:oler|able).png/U”; metadata:service http;)
TrickBot
alert tcp any any -> any [443,8082] (msg:”Non-Std TCP Client Traffic contains ‘_W<digits>.'”; sid:1; rev:1; flow:established,to_server; content:”_W”; fast_pattern:only; pcre:”/_Wd{6,8}./”; metadata:service else-ports;)
TrickBot
alert tcp any [443,447] -> any any (msg:”SSL/TLS Server X.509 Cert Field contains ‘example.com’ (Hex)”; sid:1; rev:1; flow:established,from_server; ssl_state:server_hello; content:”|0b|example.com”; fast_pattern:only; content:”Global Security”; content:”IT Department”; pcre:”/(?:x09x00xc0xb9x3bx93x72xa3xf6xd2|x00xe2x08xffxfbx7bx53x76x3d)/”; metadata:service ssl,service and-ports;)
TrickBot
alert tcp any any -> any any+F57 (msg:”HTTP URI GET contains ‘/anchor'”; sid:1; rev:1; flow:established,to_server; content:”/anchor”; http_uri; fast_pattern:only; content:”GET”; nocase; http_method; pcre:”/^/anchor_?.{3}/[w_-]+.[A-F0-9]+/?$/U”; metadata:service http;)
TrickBot
alert udp any any <> any 53 (msg:”DNS Query/Response kostunivo com (UDP)”; sid:1; rev:1; content:”|09|kostunivo|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; metadata:service dns;)
TrickBot
alert udp any any <> any 53 (msg:”DNS Query/Response chishir com (UDP)”; sid:1; rev:1; content:”|07|chishir|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; metadata:service dns;)
TrickBot
alert udp any any <> any 53 (msg:”DNS Query/Response mangoclone com (UDP)”; sid:1; rev:1; content:”|0A|mangoclone|03|com|00|”; fast_pattern:only; reference:url,medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30; metadata:service dns;)
GootLoader
No signature available.
Auto-update of Azure Log Analytics agent and Diagnostics Extension for Linux extension available
This article is contributed. See the original author and article here.
At Microsoft we are continuously working to harden our environment and make it easier for customers and partners to apply patches and updates. Monthly, Microsoft issues several updates during what is commonly referred to as “Patch Tuesday.” During Patch Tuesday, Microsoft assigns Common Vulnerabilities and Exposure (CVE) numbers to cloud-based vulnerabilities when there is a specific message that we want to send about necessary action to take, either by our customers to protect themselves or by the industry to protect the ecosystem.
When Microsoft issues a CVE, there is almost always action required to be taken by the customer. In instances where customer action is required, Microsoft understands each customer has their own process and timeframe for applying updates. However, we recommend applying all updates as soon as possible.
As part of June’s “Patch Tuesday,” we issued CVE-2022-29149 to address a local Elevation of Privilege in Azure Open Management Infrastructure (OMI).
Over the past year, our team has been developing an Automatic Extension Upgrade feature and are excited to announce the availability of this capability for the Azure Log Analytics agent and Diagnostics extension for Linux.
Background
The Azure Log Analytics agent for Linux (aka OMS agent) and Diagnostics Extension for Linux (aka LAD agent) collects telemetry from Linux virtual machines. The OMS agent works in any cloud, on-premises machines, and machines monitored by System Center Operations Manager. Collected data is sent to your Log Analytics workspace in Azure Monitor. The Log Analytics agent also supports insights and other services in Azure Monitor such as VM insights, Microsoft Defender for Cloud, and Azure Automation. The LAD agent collects the same data types as OMS, but instead has the capability to send the collected data to a variety of data destinations, such as Azure Storage, Metrics, and Event Hub.
New Feature
On Azure Virtual Machines (VMs), the OMS and LAD agents could be installed as a virtual machine extension. Now, you can let the extension automatically update by turning on the “Automatic Extension Upgrade” option for the extensions. You can do this by setting the flag to true via API, CLI or PowerShell as documented here for OMS and here for LAD.
Security Recommendations
We strongly recommend enabling automatic updates for the OMS agent and LAD agent as soon as possible,
- For the longer term, we recommend migrating to Azure Monitor agent that is not dependent on OMI. As communicated previously, the Log Analytics agent is on a deprecation path and will no longer be supported after August 31, 2024. As such, you must ensure migrating to the new Azure Monitor agent prior to that date. We also plan to bring the capabilities of the Diagnostics Extension for Linux (LAD) to Azure Monitor Agent at a later date.
- This update ensures that customers get important security or performance updates to the extension as soon as possible without manual overhead.
As always, we welcome feedback from customers and partners which supports our efforts to continuously harden our products and services. We want to thank the Wiz team for their collaboration and commitment to helping make Azure customers more secure.
Cisco Releases Security Updates for RV Series Routers
This article is contributed. See the original author and article here.
Cisco has released security updates to address vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.
CISA encourages users and administrators to review Cisco advisory cisco-sa-sb-mult-vuln-CbVp4SUR and apply the necessary updates.
F5 Releases Security Updates
This article is contributed. See the original author and article here.
F5 has released security updates to address vulnerabilities in multiple products. A privileged attacker could exploit some of these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review the F5 security advisories and apply the necessary updates.
FTC Commissioners aren’t calling you — really
This article was originally posted by the FTC. See the original article here.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Recent Comments