This article is contributed. See the original author and article here.
Animated July O T logo
#JulyOT is back for 2022! Throughout the month of July, the IoT teams at Microsoft will be sharing content and events put together by IoT enthusiasts from around the world. This includes content from community members, Microsoft employees, and could even involve you! For every working day in July, we’ll focus on one or more featured content pieces from our curated collection at the new home of #JulyOT – JulyOT.dev!. The idea is to inspire those curious about IoT to pursue their own personal projects within the realm of Internet of Things, and then share them on social media with the hashtag #JulyOT.
We’ll be updating JulyOT.dev with new content every working day in July, so check back there often, or subscribe to the RSS feed. We’ll also be updating this post at the end of each week with a round up of what we covered in that week.
IoT live streams
IoT for Beginners Reactor stream logo
JulyOT kicks off with live streams from the Microsoft Reactor. Check out our events page to learn more and register. These include the first 4 lessons of IoT for Beginners, our free, open source IoT curriculum, as well as live streams in English and Spanish.
IoT Cloud Skills Challenge
A cartoon raccoon holding medals
We’ll also challenge y’all to grow your IoT skills with a cloud skills challenge! More details coming on the 1st July.
Digital swag
What better way to celebrate #JulyOT than with digital swag! Set your desktop or video chat background, and get cool visuals to share on social on our digital swag page.
Enjoy the celebration of #JulyOT
See you all at JulyOT.dev as we celebrate #JulyOT.
This article is contributed. See the original author and article here.
Oracle 19c is the terminal release for Oracle 12c. If you aren’t familiar with that term, a terminal release is the last point release of the product. There were terminal releases for previous Oracle versions (10.2.0.4, 11.2.0.7.0) and after 19c, the next terminal release will be 23c. Therefore, you don’t see many 18c, 20c or 21c databases. We’ve gone to yearly release numbers, but the fact remains that 19c is going to receive all major updates and continue to be supported unlike the non-terminal releases.
Oracle will tell you for support, you should be upgrading to 19c. Premier Oracle Support ended for December 1st, 2020 and as we discussed, not many are going to choose or stay on non-terminal releases, so 19c is it.
With that said, we must offer guidance on recommended practices for Oracle versioning and patching in Azure. Although I will list any bugs and document IDs that back up the recommendations I’m making, be aware that many of these will be behind Oracle Support’s paywall, so you’ll only be able to access them with an Oracle Support CSI. Let’s talk about the things not to do first-
Don’t Upgrade DURING Your Migration
I know it sounds like an awesome idea to upgrade to the latest database version while you are migrating to the cloud, but please, don’t do these two things- migrating to the cloud and upgrading the database/app at the same time. It’s a common scenario that I’m brought in after the Azure specialists are left scratching their head or scrambling to explain what has changed and then I come in to tell them to stand down because it’s the DATABASE THAT’S CHANGED.
Do Patch to the LATEST Patchset for Oracle
I am part of the crowd that often did the latest patchset -1 approach. We would always be one patchset behind and let others figure out how many bugs might be introduced by the patch that had sneaked through testing.
Not anymore… I have a few customers on 19.14, which should be safe, considering the previous practice I mentioned, but the sheer number of bugs and serious bugs that were experienced has changed my thinking to recommend going to the latest patchset.
I think it’s easy to think, “Oh, it’s just a small bug” but I’m in agreement with you, if it’s a small impact and it has an easy work around, that’s one thing, but these bugs I’m referring to are quite impactful and here’s how:
High CPU Usage
19.14 release, there were 11 bugs that caused high CPU usage for Oracle.
High CPU usage to the point of doubling the core count for the VM the database ran on in Azure.
Doubling the need for Oracle licenses for the database, even though it was a bug that was causing all the additional CPU usage.
At $47500 list price per processor license, this isn’t something I’d recommend letting go on.
For one customer that I was deeply involved in, the VM sizing required 20 vCPU to run the workload. I sized up to 32 vCPU for peak workloads and yet they were at 97.6% CPU busy with a 64-core machine. The workload hadn’t changed, and the CPU usage traced was out of control!
I would start here: After Upgrade to 19c, One or More of the Following Issues Occur on Non-Linux Platforms: High Paging/Swapping, High CPU, Poor Performance, ORA-27nnn Errors, ORA-00379 Errors, ORA-04036 Errors (Doc ID 2762216.1)
Killing Sessions in PDB Eventually Results in Poor Buffer Cache Performance Due To Miscalculating Free Buffer Count
Time Slip
This issue will often display an ORA-00800 error and you will need to check the extended trace file for details. It will include the VKTM in the error arguments.
…/trace/xxxxx_vktm_xxxx.trc
ORA-00800: soft external error, arguments: [Set Priority Failed], [VKTM], [Check traces and OS configuration], [Check Oracle document and MOS notes]
The trace file will include additional information about the error, including:
Kstmmainvktm: failed in setting elevated priority
Verify: SETUID is set on ORADISM and restart the instance highres_enabled
This refers to a bug and has two documents around time drift and how to address it-
This article is contributed. See the original author and article here.
The Same KPIs, Different Department
Scenario: You have different managers requesting to see the same KPIs (Customer Count, Revenue Generated, Products Performance, etc) for their different region. Data privacy requires that the various managers only see reports for their regions. A simple way to think about this is by creating different reports for the managers making a total of 3 Reports.
I am sure you will agree with me that this isn’t effective. more efforts and it is not scalable. what if it is a large multinational – country manager, regional manager, group manager, unit head, team leads all across the world? will you also build different reports for over 500 people? With Row Level Security, you can easily address this challenge by building a single Reports and set roles and rules to filter what everyone can see.
This article is contributed. See the original author and article here.
The sales accelerator in Dynamics 365 provides a tailored experience for sellers by minimizing the time spent searching for the best next customer to reach out to. It’s a workspace optimized with AI and suggested activities that guide sellers through customer interactions. The sales accelerator enables your sales team to prioritize their pipeline, reach out to prospects most likely to buy, and respond to recommendations, speeding up the sales process.
Our teams are constantly reviewing customer feedback and optimizing the experience. We have two new updates you’ll see immediately in your environments:
Sales Hub users now get out-of-the-box access to the sales accelerator workspace. (If you use a custom app, additional steps might be required to surface the capabilities.)
Sales engagement managers can discover and configure the sales accelerator in a newly streamlined onboarding process.
Let’s take a deeper look at these improvements.
Out-of-the-box access to the sales accelerator workspace
Sales Hub users will now be able to instantly access the sales accelerator from the left pane on the site map menu. As they access the sales accelerator, sellers will immediately see any activities scheduled for them in the worklist. Without navigating away from the screen, they can see who to contact next, filter and sort the records to their chosen priority, and then take the best next action.
Sales Hub is a Microsoft app that’s designed around the sales processes that most organizations follow. If you’re new to Dynamics 365 Sales and wondering whether to use the Sales Hub app or create a custom app, this comparison will help you decide.
The following improvements help sales engagement managers and admins discover and engage with the right options to implement and deploy the sales accelerator more efficiently:
Independently configured sales accelerator workspace and optimized assignment rules
Context-specific settings
Setup recommendations
Independently configure access to the workspace and assignment rules
Assignment rules enable new leads and opportunities to be automatically assigned to sellers or sales teams. This helps reduce the time and effort required to manually assign records, prevent the loss of unassigned records, and balance assignments among sellers.
Assignment rules can now be independently used or aligned to the use of the sales accelerator. This allows you to select the right options for your sellers and ensure they receive the records to work on, regardless of workspace area. We’ve introduced the ability to set security roles to separately control access to the sales accelerator workspace and assignment rules.
A security role defines how users may access different types of records. You can modify existing security roles, create new security roles, or change which security roles are assigned to each user. Learn more about security roles.
To configure access to the sales accelerator workspace, choose security roles in the Manage access and record type section of the workspace settings page.
To configure access to assignment rules, choose security roles in the Team settings section of the assignment rules settings page.
Context-specific settings
Advanced settings for sequences, assignment rules, and sales teams are now available in context, on the page, rather than requiring navigation to another settings area. This screenshot shows an example of the new in-context settings, using seller availability:
Personalize your workspace
To improve sellers’ productivity, we help them focus on who to engage next. To that end, you can now customize the workspace filters. For example, sellers might want to filter work items based on the lead source, such as website inquiry. Add a filter based on Lead as the record type and Leadsource as the field.
We encourage you to try out different capabilities to get the most out of the sales accelerator. To help you discover its capabilities, we show recommended next steps in workspace settings. Recommendations are tailored to the sales process and based on where your organization is in the setup process, taking away the guesswork and guiding you on a recommended path for a successful implementation.
Stay tuned for more exciting improvements to come, such as customizable worklist cards, advanced sorting, and a new sequence designer experience!
This article is contributed. See the original author and article here.
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column, which will sort by descending dates.
Note: CISA previously added and then removed today’s addition, CVE-2022-26925, to the KEV Catalog after determining that remediations associated with this vulnerability would break certificate authentication for many federal agencies. Details:
CVE-2022-26925 was mitigated by Microsoft’s June 2022 Patch Tuesday update.
The Microsoft update also includes remediations for CVE-2022-26923 and CVE-2022-26931, which change the way certificates are mapped to accounts in Active Directory. These changes break certificate authentication for many federal agencies.
For this reason, CISA has also published a Knowledge Article that provides critical steps that must be followed to prevent service outages. Agencies should review thisKnowledge Articlecarefully before beginning the mitigation process.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the specified criteria.
This article is contributed. See the original author and article here.
Summary
Actions to take today to mitigate cyber threats from ransomware: • Prioritize remediating known exploited vulnerabilities. • Train users to recognize and report phishing attempts. • Enable and enforce multifactor authentication.
Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this CSA to provide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder.
Download the PDF version of this report: pdf, 633 kb
Technical Details
MedusaLocker ransomware actors most often gain access to victim devices through vulnerable Remote Desktop Protocol (RDP) configurations [T1133]. Actors also frequently use email phishing and spam email campaigns—directly attaching the ransomware to the email—as initial intrusion vectors [T1566].
MedusaLocker ransomware uses a batch file to execute PowerShell script invoke-ReflectivePEInjection [T1059.001]. This script propagates MedusaLocker throughout the network by editing the EnableLinkedConnections value within the infected machine’s registry, which then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol (ICMP) and to detect shared storage via Server Message Block (SMB) Protocol.
MedusaLocker then:
Restarts the LanmanWorkstation service, which allows registry edits to take effect.
Kills the processes of well-known security, accounting, and forensic software.
Restarts the machine in safe mode to avoid detection by security software [T1562.009].
Encrypts victim files with the AES-256 encryption algorithm; the resulting key is then encrypted with an RSA-2048 public key [T1486].
Runs every 60 seconds, encrypting all files except those critical to the functionality of the victim’s machine and those that have the designated encrypted file extension.
Establishes persistence by copying an executable (svhost.exe or svhostt.exe) to the %APPDATA%Roaming directory and scheduling a task to run the ransomware every 15 minutes.
Attempts to prevent standard recovery techniques by deleting local backups, disabling startup recovery options, and deleting shadow copies [T1490].
MedusaLocker actors place a ransom note into every folder containing a file with the victim’s encrypted data. The note outlines how to communicate with the MedusaLocker actors, typically providing victims one or more email address at which the actors can be reached. The size of MedusaLocker ransom demands appears to vary depending on the victim’s financial status as perceived by the actors.
Disclaimer: Many of these observed IP addresses are several years old and have been historically linked to MedusaLocker ransomware. We recommend these IP addresses be investigated or vetted by organizations prior to taking action, such as blocking.
IP Address
Last Observed
195.123.246.138
Nov-2021
138.124.186.221
Nov-2021
159.223.0.9
Nov-2021
45.146.164.141
Nov-2021
185.220.101.35
Nov-2021
185.220.100.249
Sep-2021
50.80.219.149
Sep-2021
185.220.101.146
Sep-2021
185.220.101.252
Sep-2021
179.60.150.97
Sep-2021
84.38.189.52
Sep-2021
94.232.43.63
Jul-2021
108.11.30.103
Apr-2021
194.61.55.94
Apr-2021
198.50.233.202
Apr-2021
40.92.90.105
Jan-2021
188.68.216.23
Dec-2020
87.251.75.71
Dec-2020
196.240.57.20
Oct-2020
198.0.198.5
Aug-2020
194.5.220.122
Mar-2020
194.5.250.124
Mar-2020
194.5.220.124
Mar-2020
104.210.72.161
Nov-2019
MITRE ATT&CK Techniques
MedusaLocker actors use the ATT&CK techniques listed in Table 1.
Table 1: MedusaLocker Actors ATT&CK Techniques for Enterprise
Initial Access
Technique Title
ID
Use
External Remote Services
T1133
MedusaLocker actors gained access to victim devices through vulnerable RDP configurations.
Phishing
T1566
MedusaLocker actors used phishing and spearphishing to obtain access to victims’ networks.
Execution
Technique Title
ID
Use
Command and Scripting Interpreter: PowerShell
T1059.001
MedusaLocker actors may abuse PowerShell commands and scripts for execution.
Defense Evasion
Technique Title
ID
Use
Impair Defenses: Safe Mode Boot
T1562.009
MedusaLocker actors may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services.
Impact
Technique Title
ID
Use
Data Encrypted for Impact
T1486
MedusaLocker actors encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.
Inhibit System Recovery
T1490
MedusaLocker actors may deny access to operating systems containing features that can help fix corrupted systems, such as backup catalog, volume shadow copies, and automatic repair.
Mitigations
Implement a recovery plan that maintains and retains multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, or the cloud).
Implement network segmentation and maintain offline backups of data to ensure limited interruption to the organization.
Regularly back up data and password protect backup copies stored offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
Install, regularly update, and enable real time detection for antivirus software on all hosts.
Install updates for operating systems, software, and firmware as soon as possible.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
Disable unused ports.
Consider adding an email banner to emails received from outside your organization.
Disable hyperlinks in received emails.
Enforce multifactor authentication (MFA).
Use National Institute of Standards and Technology (NIST) standards for developing and managing password policies:
Use longer passwords consisting of at least 8 characters and no more than 64 characters in length.
Store passwords in hashed format using industry-recognized password managers.
Add password user “salts” to shared login credentials.
Refrain from requiring password changes unless there is evidence of password compromise. Note: NIST guidance suggests favoring longer passwords and no longer require regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
Require administrator credentials to install software.
Only use secure networks; avoid using public Wi-Fi networks.
Consider installing and using a virtual private network (VPN) to establish secure remote connections.
Focus on cybersecurity awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities, such as ransomware and phishing scams.
Resources
Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.
Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide
To report an incident and request technical assistance, contact CISA at cisaservicedesk@cisa.dhs.gov or 888-282-0870, or FBI through a local field office.
Financial Institutions must ensure compliance with any applicable Bank Secrecy Act requirements, including suspicious activity reporting obligations. Indicators of compromise (IOCs), such as suspicious email addresses, file names, hashes, domains, and IP addresses, can be provided under Item 44 of the Suspicious Activity Report (SAR) form. For more information on mandatory and voluntary reporting of cyber events via SARs, see FinCEN Advisory FIN-2016-A005, Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime, October 25, 2016; and FinCEN Advisory FIN-2021-A004, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, November 8, 2021, which updates FinCEN Advisory FIN-2020-A006.
The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
Contact Information
To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field-offices. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To report incidents and anomalous activity or to request incident response resources or technical assistance related to this threat, contact CISA at report@cisa.gov.
Recent Comments