Original release date: June 23, 2022
Summary
Actions to take today:
• Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.
• Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services
The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.
Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.
This CSA provides the suspected APT actors’ tactics, techniques, and procedures (TTPs), information on the loader malware, and indicators of compromise (IOCs). The information is derived from two related incident response engagements and malware analysis of samples discovered on the victims’ networks.
CISA and CGCYBER recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA, Malware Analysis Report (MAR)-10382580-1, and MAR-10382254-1. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA.
See the list below to download copies of IOCs:
Download the pdf version of this report: [pdf, 483 kb]
Technical Details
Note: this advisory uses the MITRE ATT&CK for Enterprise framework, version 11. See Appendix A for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques.
Log4Shell is a remote code execution vulnerability affecting the Apache® Log4j library and a variety of products using Log4j, such as consumer and enterprise services, websites, applications, and other products, including certain versions of VMware Horizon and UAG. The vulnerability enables malicious cyber actors to submit a specially crafted request to a vulnerable system, causing the system to execute arbitrary code. The request allows the malicious actors to take full control of the affected system. (For more information on Log4Shell, see CISA’s Apache Log4j Vulnerability Guidance webpage and VMware advisory VMSA-2021-0028.13.)
VMware made fixes available in December 2021 and confirmed exploitation in the wild on December 10, 2021.[1] Since December 2021, multiple cyber threat actor groups have exploited [T1190] Log4Shell on unpatched, public-facing VMware Horizon and UAG servers to obtain initial access [TA0001] to networks.
After obtaining access, some actors implanted loader malware on compromised systems with embedded executables enabling remote C2. These actors connected to known malicious IP address 104.223.34[.]198
.[2] This IP address uses a self-signed certificate CN: WIN-P9NRMH5G6M8.
In at least one confirmed compromise, the actors collected and exfiltrated sensitive information from the victim’s network.
The sections below provide information CISA and CGCYBER obtained during incident response activities at two related confirmed compromises.
Victim 1
CGCYBER conducted a proactive threat-hunting engagement at an organization (Victim 1) compromised by actors exploiting Log4Shell in VMware Horizon. After obtaining access, threat actors uploaded malware, hmsvc.exe
, to a compromised system. During malware installation, connections to IP address 104.223.34[.]198
were observed.
CISA and CGCYBER analyzed a sample of hmsvc.exe
from the confirmed compromise. hmsvc.exe masquerades as a legitimate Microsoft® Windows® service (SysInternals LogonSessions software) [T1036.004] and appears to be a modified version of SysInternals LogonSessions software embedded with malicious packed code. When discovered, the analyzed sample of hmsvc.exe was running as NT AUTHORITYSYSTEM
, the highest privilege level on a Windows system. It is unknown how the actors elevated privileges.
hmsvc.exe
is a Windows loader containing an embedded executable, 658_dump_64.exe
. The embedded executable is a remote access tool that provides an array of C2 capabilities, including the ability to log keystrokes [T1056.001], upload and execute additional payloads [T1105], and provide graphical user interface (GUI) access over a target Windows system’s desktop. The malware can function as a C2 tunneling proxy [T1090], allowing a remote operator to pivot to other systems and move further into a network.
When first executed, hmsvc.exe
creates the Scheduled Task [T1053.005], C:WindowsSystem32TasksLocal Session Updater
, which executes malware every hour. When executed, two randomly named *.tmp
files are written to the disk at the location C:Users<USER>AppDataLocalTemp
and the embedded executable attempts to connect to hard-coded C2 server 192.95.20[.]8
over port 4443
, a non-standard port [TT571]. The executable’s inbound and outbound communications are encrypted with a 128-bit key [T1573.001].
For more information on hmsvc.exe, including IOCs and detection signatures, see MAR-10382254-1.
Victim 2
From late April through May 2022, CISA conducted an onsite incident response engagement at an organization (Victim 2) where CISA observed bi-directional traffic between the organization and suspected APT IP address 104.223.34[.]198
. During incident response, CISA determined Victim 2 was compromised by multiple threat actor groups.
The threat actors using IP 104.223.34[.]198
gained initial access to Victim 2’s production environment in late January 2022, or earlier. These actors likely obtained access by exploiting Log4Shell in an unpatched VMware Horizon server. On or around January 30, likely shortly after the threat actors gained access, CISA observed the actors using PowerShell scripts [T1059.001] to callout to 109.248.150[.]13
via Hypertext Transfer Protocol (HTTP) [T1071.001] to retrieve additional PowerShell scripts. Around the same period, CISA observed the actors attempt to download [T1105] and execute a malicious file from 109.248.150[.]13
. The activity started from IP address 104.155.149[.]103
, which appears to be part of the actors’ C2 [TA0011] infrastructure.
After gaining initial access to the VMware Horizon server, the threat actors moved laterally [TA0008] via Remote Desktop Protocol (RDP) [T1021.001] to multiple other hosts in the production environment, including a security management server, a certificate server, a database containing sensitive law enforcement data, and a mail relay server. The threat actors also moved laterally via RDP to the organization’s disaster recovery network. The threat actors gained credentials [TA0006] for multiple accounts, including administrator accounts. It is unknown how these credentials were acquired.
After moving laterally to other production environment hosts and servers, the actors implanted loader malware on compromised servers containing executables enabling remote C2. The threat actors used compromised administrator accounts to run the loader malware. The loader malware appears to be modified versions of SysInternals LogonSessions, Du, or PsPing software. The embedded executables belong to the same malware family, are similar in design and functionality to 658_dump_64.exe
, and provide C2 capabilities to a remote operator. These C2 capabilities include the ability to remotely monitor a system’s desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads. The embedded executables can also function as a proxy.
CISA found the following loader malware:
SvcEdge.exe
is a malicious Windows loader containing encrypted executable f7_dump_64.exe
. When executed, SvcEdge.exe
decrypts and loads f7_dump_64.exe
into memory. During runtime, f7_dump_64.exe
connects to hard-coded C2 server 134.119.177[.]107
over port 443
.
odbccads.exe
is a malicious Windows loader containing an encrypted executable. When executed, odbccads.exe
decrypts and loads the executable into memory. The executable attempts communication with the remote C2 address 134.119.177[.]107
.
praiser.exe
is a Windows loader containing an encrypted executable. When executed, praiser.exe
decrypts and loads the executable into memory. The executable attempts connection to hard-coded C2 address 162.245.190[.]203
.
fontdrvhosts.exe
is a Windows loader that contains an encrypted executable. When executed, fontdrvhosts.exe decrypts and loads the executable into memory. The executable attempts connection to hard-coded C2 address 155.94.211[.]207
.
winds.exe
is a Windows loader containing an encrypted malicious executable and was found on a server running as a service. During runtime, the encrypted executable is decrypted and loaded into memory. The executable attempts communication with hard-coded C2 address 185.136.163[.]104
. winds.exe
has complex obfuscation, hindering the analysis of its code structures. The executable’s inbound and outbound communications are encrypted with an XOR key [T1573.001].
For more information on these malware samples, including IOCs and detection signatures, see MAR-10382580-1.
Additionally, CISA identified a Java® Server Pages (JSP) application (error_401.js
) functioning as a malicious webshell [T505.003] and a malicious Dynamic Link Library (DLL) file:
error_401.jsp
is a webshell designed to parse data and commands from incoming HTTP requests, providing a remote operator C2 capabilities over compromised Linux and Windows systems. error_401.jsp
allows actors to retrieve files from the target system, upload files to the target system, and execute commands on the target system. rtelnet
is used to execute commands on the target system. Commands and data sent are encrypted via RC4 [T1573.001]. For more information on error_401.jsp
, including IOCs, see [MAR-10382580 2].
newdev.dll
ran as a service in the profile of a known compromised user on a mail relay server. The malware had path: C:Users<user>AppDataRoamingnewdev.dll
. The DLL may be the same newdev.dll
attributed to the APT actors in open-source reporting; however, CISA was unable to recover the file for analysis.
Threat actors collected [TA0009] and likely exfiltrated [TA0010] data from Victim 2’s production environment. For a three week period, the security management and certificate servers communicated with the foreign IP address 92.222.241[.]76
. During this same period, the security management server sent more than 130 gigabytes (GB) of data to foreign IP address 92.222.241[.]76
, indicating the actors likely exfiltrated data from the production environment. CISA also found .rar
files containing sensitive law enforcement investigation data [T1560.001] under a known compromised administrator account.
Note: the second threat actor group had access to the organization’s test and production environments, and on or around April 13, 2022, leveraged CVE-2022-22954 to implant the Dingo J-spy webshell. According to trusted third-party reporting, multiple large organizations have been targeted by cyber actors leveraging CVE-2022-22954 and CVE-2022-22960. For more information on exploitation of CVE-2022-22954 and CVE-2022-22960, see CISA CSA Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control.
Incident Response
If administrators discover system compromise, CISA and CGCYBER recommend:
- Immediately isolating affected systems.
- Collecting and reviewing relevant logs, data, and artifacts.
- Considering soliciting support from a third-party incident response organization that can provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.
- Reporting incidents to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870). To report cyber incidents to the Coast Guard pursuant to 33 CFR Section 101.305, contact the U.S. Coast Guard (USCG) National Response Center (NRC) (NRC@uscg.mil or 800-424-8802).
Mitigations
CISA and CGCYBER recommend organizations install updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest version.
- If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat those VMware Horizon systems as compromised. Follow the pro-active incident response procedures outlined above prior to applying updates. If no compromise is detected, apply these updates as soon as possible.
- See VMware Security Advisory VMSA-2021-0028.13 and VMware Knowledge Base (KB) 87073 to determine which VMware Horizon components are vulnerable.
- Note: until the update is fully implemented, consider removing vulnerable components from the internet to limit the scope of traffic. While installing the updates, ensure network perimeter access controls are as restrictive as possible.
- If upgrading is not immediately feasible, see KB87073 and KB87092 for vendor-provided temporary workarounds. Implement temporary solutions using an account with administrative privileges. Note that these temporary solutions should not be treated as permanent fixes; vulnerable components should be upgraded to the latest build as soon as possible.
- Prior to implementing any temporary solution, ensure appropriate backups have been completed.
- Verify successful implementation of mitigations by executing the vendor supplied script
Horizon_Windows_Log4j_Mitigations.zip
without parameters to ensure that no vulnerabilities remain. See KB87073 for details.
Additionally, CISA and CGCYBER recommend organizations:
- Keep all software up to date and prioritize patching known exploited vulnerabilities (KEVs).
- Minimize the internet-facing attack surface by hosting essential services on a segregated DMZ, ensuring strict network perimeter access controls, and not hosting internet-facing services non-essential to business operations. Where possible, implement regularly updated WAFs in front of public-facing services. WAFs can protect against web based exploitation using signatures and heuristics that are likely to block or alert on malicious traffic.
- Use best practices for identity and access management (IAM) by implementing multifactor authentication (MFA), enforcing use of strong passwords, and limiting user access through the principle of least privilege.
Contact Information
Recipients of this report are encouraged to contribute any additional information related to this threat.
- To request incident response resources or technical assistance related to these threats, email CISA at report@cisa.gov. To contact Coast Guard Cyber Command in relation to these threats, email maritimecyber@uscg.mil.
- To report cyber incidents to the Coast Guard pursuant to 33 CFR Section 101.305 contact the USCG NRC (NRC@uscg.mil or 800-424-8802).
Resources
- For more information on Log4Shell, see:
- See National Security Agency (NSA) and Australian Signals Directorate (ASD) guidance Block and Defend Web Shell Malware for additional guidance on hardening internet-facing systems.
References
[1] VMware Security Advisory VMSA-2021-0028.13
[2] Fortinet’s blog New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
Appendix A: Indicators of Compromise
See MAR-10382580-1 and MAR-10382254-1 and Table 1 for IOCs. See the list below to download copies of these IOCs:
Table 1: Indicators of Compromise
Type |
Indicator |
Description |
IP Address |
104.223.34[.]198 |
IP address closely associated with the installation of malware on victims. |
92.222.241[.]76 |
Victim 2 servers communicated with this IP address and sent data to it during a three-week period. |
109.248.150[.]13 |
Actors attempting to download and execute a malicious file from this address. |
104.155.149[.]103 |
Appears to be a part of the actors’ C2 infrastructure. |
Network Port |
192.95.20[.]8:80 |
Same description as IP 192.95.20[.]8 , but includes the specific destination port of 80, which was identified in logs and during malware analysis. |
1389 |
This was the most common destination port for Log4Shell exploitation outbound connections. Multiple unique destination addresses were used for Log4Shell callback. |
104.223.34[.]198:443 |
IP address closely associated to the installation of malware on victims with the specific destination port of 443. |
Scheduled Task |
C:WindowsSystem32TasksLocal Session Update |
Scheduled task created by hmsvc.exe to execute the program hourly. |
File Path |
C:WindowsTemplnk{4_RANDOM_CHARS}.tmp |
File created by hmsvc.exe with a random four-character filename. |
C:WindowsTemplnk<4_RANDOM_NUMS_CHAR S>.tmp |
File created by hmsvc.exe with a random four-character filename. |
Appendix B: Threat Actor TTPs
See Table 2 for the threat actors’ tactics and techniques identified in this CSA. See the MITRE ATT&CK for Enterprise framework, version 11, for all referenced threat actor tactics and techniques.
Table 2: Tactics and Techniques
Tactic |
Technique |
Initial Access [TA0001] |
Exploit Public-Facing Application [T1190] |
Execution [TA0002]
|
Command and Scripting Interpreter: PowerShell [T1059.001] |
Scheduled Task/Job: Scheduled Task [T1053.005] |
Persistence [TA0003] |
Server Software Component: Web Shell [T1505.003] |
Defense Evasion [TA0005] |
Masquerading: Masquerade Task or Service [T1036.004] |
Credential Access [TA0006] |
|
Lateral Movement [TA0008] |
Remote Services: Remote Desktop Protocol [T1021.001] |
Collection [TA0009] |
Archive Collected Data: Archive via Utility [T1560.001] |
Input Capture: Keylogging [T1056.001] |
Command and Control [TA0011] |
Application Layer Protocol: Web Protocols [T1071.001] |
Encrypted Channel: Symmetric Cryptography [1573.001] |
Ingress Tool Transfer [T1105] |
Non-Standard Port [T1571] |
|
Proxy [T1090] |
Disclaimer
© 2021 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Acknowledgements
CISA and CGCYBER would like to thank VMware and Secureworks for their contributions to this CSA.
Revisions
- June 23, 2022: Initial version
This product is provided subject to this Notification and this Privacy & Use policy.
Source de l’article sur us-cert.gov
How Low Code Demands More Creativity From Developers
Actualités, Méthodes et organisation des process ITYes, engineering is a science, but it’s more and more an art, too. Developers must be at least as creative as the next hacker — and they need to cultivate user empathy. That’s why organizations benefit from automating the minutia, allowing devs to focus on novel problem-solving. This is where the promise of no-code and low-code development comes in — not to replace developer jobs, but to transform them into knowledge worker roles. Read on to learn about the no-code/low-code movement, how it fits into your work as a developer, and where it’s heading.
Source de l’article sur DZONE
AA22-174A: Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems
Sécurité de l'information et du SI, Sécurité de l’information, Sécurité du système d’informationOriginal release date: June 23, 2022
Summary
Actions to take today:
• Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.
• Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services
The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.
Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.
This CSA provides the suspected APT actors’ tactics, techniques, and procedures (TTPs), information on the loader malware, and indicators of compromise (IOCs). The information is derived from two related incident response engagements and malware analysis of samples discovered on the victims’ networks.
CISA and CGCYBER recommend all organizations with affected systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities using the IOCs provided in this CSA, Malware Analysis Report (MAR)-10382580-1, and MAR-10382254-1. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA and report key findings to CISA.
See the list below to download copies of IOCs:
Download the pdf version of this report: [pdf, 483 kb]
Technical Details
Note: this advisory uses the MITRE ATT&CK for Enterprise framework, version 11. See Appendix A for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques.
Log4Shell is a remote code execution vulnerability affecting the Apache® Log4j library and a variety of products using Log4j, such as consumer and enterprise services, websites, applications, and other products, including certain versions of VMware Horizon and UAG. The vulnerability enables malicious cyber actors to submit a specially crafted request to a vulnerable system, causing the system to execute arbitrary code. The request allows the malicious actors to take full control of the affected system. (For more information on Log4Shell, see CISA’s Apache Log4j Vulnerability Guidance webpage and VMware advisory VMSA-2021-0028.13.)
VMware made fixes available in December 2021 and confirmed exploitation in the wild on December 10, 2021.[1] Since December 2021, multiple cyber threat actor groups have exploited [T1190] Log4Shell on unpatched, public-facing VMware Horizon and UAG servers to obtain initial access [TA0001] to networks.
After obtaining access, some actors implanted loader malware on compromised systems with embedded executables enabling remote C2. These actors connected to known malicious IP address
104.223.34[.]198
.[2] This IP address uses a self-signed certificate CN:WIN-P9NRMH5G6M8.
In at least one confirmed compromise, the actors collected and exfiltrated sensitive information from the victim’s network.The sections below provide information CISA and CGCYBER obtained during incident response activities at two related confirmed compromises.
Victim 1
CGCYBER conducted a proactive threat-hunting engagement at an organization (Victim 1) compromised by actors exploiting Log4Shell in VMware Horizon. After obtaining access, threat actors uploaded malware,
hmsvc.exe
, to a compromised system. During malware installation, connections to IP address104.223.34[.]198
were observed.CISA and CGCYBER analyzed a sample of
hmsvc.exe
from the confirmed compromise. hmsvc.exe masquerades as a legitimate Microsoft® Windows® service (SysInternals LogonSessions software) [T1036.004] and appears to be a modified version of SysInternals LogonSessions software embedded with malicious packed code. When discovered, the analyzed sample of hmsvc.exe was running asNT AUTHORITYSYSTEM
, the highest privilege level on a Windows system. It is unknown how the actors elevated privileges.hmsvc.exe
is a Windows loader containing an embedded executable,658_dump_64.exe
. The embedded executable is a remote access tool that provides an array of C2 capabilities, including the ability to log keystrokes [T1056.001], upload and execute additional payloads [T1105], and provide graphical user interface (GUI) access over a target Windows system’s desktop. The malware can function as a C2 tunneling proxy [T1090], allowing a remote operator to pivot to other systems and move further into a network.When first executed,
hmsvc.exe
creates the Scheduled Task [T1053.005],C:WindowsSystem32TasksLocal Session Updater
, which executes malware every hour. When executed, two randomly named*.tmp
files are written to the disk at the locationC:Users<USER>AppDataLocalTemp
and the embedded executable attempts to connect to hard-coded C2 server192.95.20[.]8
over port4443
, a non-standard port [TT571]. The executable’s inbound and outbound communications are encrypted with a 128-bit key [T1573.001].For more information on hmsvc.exe, including IOCs and detection signatures, see MAR-10382254-1.
Victim 2
From late April through May 2022, CISA conducted an onsite incident response engagement at an organization (Victim 2) where CISA observed bi-directional traffic between the organization and suspected APT IP address
104.223.34[.]198
. During incident response, CISA determined Victim 2 was compromised by multiple threat actor groups.The threat actors using IP
104.223.34[.]198
gained initial access to Victim 2’s production environment in late January 2022, or earlier. These actors likely obtained access by exploiting Log4Shell in an unpatched VMware Horizon server. On or around January 30, likely shortly after the threat actors gained access, CISA observed the actors using PowerShell scripts [T1059.001] to callout to109.248.150[.]13
via Hypertext Transfer Protocol (HTTP) [T1071.001] to retrieve additional PowerShell scripts. Around the same period, CISA observed the actors attempt to download [T1105] and execute a malicious file from109.248.150[.]13
. The activity started from IP address104.155.149[.]103
, which appears to be part of the actors’ C2 [TA0011] infrastructure.After gaining initial access to the VMware Horizon server, the threat actors moved laterally [TA0008] via Remote Desktop Protocol (RDP) [T1021.001] to multiple other hosts in the production environment, including a security management server, a certificate server, a database containing sensitive law enforcement data, and a mail relay server. The threat actors also moved laterally via RDP to the organization’s disaster recovery network. The threat actors gained credentials [TA0006] for multiple accounts, including administrator accounts. It is unknown how these credentials were acquired.
After moving laterally to other production environment hosts and servers, the actors implanted loader malware on compromised servers containing executables enabling remote C2. The threat actors used compromised administrator accounts to run the loader malware. The loader malware appears to be modified versions of SysInternals LogonSessions, Du, or PsPing software. The embedded executables belong to the same malware family, are similar in design and functionality to
658_dump_64.exe
, and provide C2 capabilities to a remote operator. These C2 capabilities include the ability to remotely monitor a system’s desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads. The embedded executables can also function as a proxy.CISA found the following loader malware:
SvcEdge.exe
is a malicious Windows loader containing encrypted executablef7_dump_64.exe
. When executed,SvcEdge.exe
decrypts and loadsf7_dump_64.exe
into memory. During runtime,f7_dump_64.exe
connects to hard-coded C2 server134.119.177[.]107
over port443
.odbccads.exe
is a malicious Windows loader containing an encrypted executable. When executed,odbccads.exe
decrypts and loads the executable into memory. The executable attempts communication with the remote C2 address134.119.177[.]107
.praiser.exe
is a Windows loader containing an encrypted executable. When executed,praiser.exe
decrypts and loads the executable into memory. The executable attempts connection to hard-coded C2 address162.245.190[.]203
.fontdrvhosts.exe
is a Windows loader that contains an encrypted executable. When executed, fontdrvhosts.exe decrypts and loads the executable into memory. The executable attempts connection to hard-coded C2 address155.94.211[.]207
.winds.exe
is a Windows loader containing an encrypted malicious executable and was found on a server running as a service. During runtime, the encrypted executable is decrypted and loaded into memory. The executable attempts communication with hard-coded C2 address185.136.163[.]104
.winds.exe
has complex obfuscation, hindering the analysis of its code structures. The executable’s inbound and outbound communications are encrypted with an XOR key [T1573.001].For more information on these malware samples, including IOCs and detection signatures, see MAR-10382580-1.
Additionally, CISA identified a Java® Server Pages (JSP) application (
error_401.js
) functioning as a malicious webshell [T505.003] and a malicious Dynamic Link Library (DLL) file:error_401.jsp
is a webshell designed to parse data and commands from incoming HTTP requests, providing a remote operator C2 capabilities over compromised Linux and Windows systems.error_401.jsp
allows actors to retrieve files from the target system, upload files to the target system, and execute commands on the target system.rtelnet
is used to execute commands on the target system. Commands and data sent are encrypted via RC4 [T1573.001]. For more information onerror_401.jsp
, including IOCs, see [MAR-10382580 2].newdev.dll
ran as a service in the profile of a known compromised user on a mail relay server. The malware had path:C:Users<user>AppDataRoamingnewdev.dll
. The DLL may be the samenewdev.dll
attributed to the APT actors in open-source reporting; however, CISA was unable to recover the file for analysis.Threat actors collected [TA0009] and likely exfiltrated [TA0010] data from Victim 2’s production environment. For a three week period, the security management and certificate servers communicated with the foreign IP address
92.222.241[.]76
. During this same period, the security management server sent more than 130 gigabytes (GB) of data to foreign IP address92.222.241[.]76
, indicating the actors likely exfiltrated data from the production environment. CISA also found.rar
files containing sensitive law enforcement investigation data [T1560.001] under a known compromised administrator account.Note: the second threat actor group had access to the organization’s test and production environments, and on or around April 13, 2022, leveraged CVE-2022-22954 to implant the Dingo J-spy webshell. According to trusted third-party reporting, multiple large organizations have been targeted by cyber actors leveraging CVE-2022-22954 and CVE-2022-22960. For more information on exploitation of CVE-2022-22954 and CVE-2022-22960, see CISA CSA Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control.
Incident Response
If administrators discover system compromise, CISA and CGCYBER recommend:
Mitigations
CISA and CGCYBER recommend organizations install updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest version.
Horizon_Windows_Log4j_Mitigations.zip
without parameters to ensure that no vulnerabilities remain. See KB87073 for details.Additionally, CISA and CGCYBER recommend organizations:
Contact Information
Recipients of this report are encouraged to contribute any additional information related to this threat.
Resources
References
[1] VMware Security Advisory VMSA-2021-0028.13
[2] Fortinet’s blog New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
Appendix A: Indicators of Compromise
See MAR-10382580-1 and MAR-10382254-1 and Table 1 for IOCs. See the list below to download copies of these IOCs:
Table 1: Indicators of Compromise
104.223.34[.]198
92.222.241[.]76
109.248.150[.]13
104.155.149[.]103
192.95.20[.]8:80
192.95.20[.]8
, but includes the specific destination port of 80, which was identified in logs and during malware analysis.1389
104.223.34[.]198:443
C:WindowsSystem32TasksLocal Session Update
hmsvc.exe
to execute the program hourly.C:WindowsTemplnk{4_RANDOM_CHARS}.tmp
hmsvc.exe
with a random four-character filename.C:WindowsTemplnk<4_RANDOM_NUMS_CHAR S>.tmp
hmsvc.exe
with a random four-character filename.Appendix B: Threat Actor TTPs
See Table 2 for the threat actors’ tactics and techniques identified in this CSA. See the MITRE ATT&CK for Enterprise framework, version 11, for all referenced threat actor tactics and techniques.
Table 2: Tactics and Techniques
Execution [TA0002]
Disclaimer
© 2021 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Acknowledgements
CISA and CGCYBER would like to thank VMware and Secureworks for their contributions to this CSA.
Revisions
This product is provided subject to this Notification and this Privacy & Use policy.
Source de l’article sur us-cert.gov
Writing Beautiful, Optimized, and Better .NET Code With NDepend Static Analysis
Actualités, Méthodes et organisation des process ITOver the years, I’ve been in various discussions regarding the benefits of clean architecture, best practices, techniques such as code reviews, unit tests, etc., and I think to some degree, most of us are aligned on the reasons behind it. Having a clean architecture or code-base not only makes your development team happier, but it has a far-reaching impact on the business itself.
In this post, we will learn about NDepend, which is described on their website as the following:
Source de l’article sur DZONE
Championnat de France 2022 de sport adapté à Seyssins
Actualités, Ankaa Pmo® Inside, Séminaire, Salons, PublicitéANKAA PMO est très fière d’avoir participé à cet évènement tellement émouvant.
Merci les Fabulous !
How to Bootstrap a Web Design Business
Actualités, ActualitésStarting your own business is a process with a fair share of challenges. Even in the web design world, where you can potentially minimize costs by working from home and collaborating with freelance contractors, many expenses exist.
To run a successful web design business, you need enough money to invest in everything from skilled colleagues to resources (like fonts and themes), software subscriptions, and technology tools. Finding a way to fund your company can be the most complicated part of ensuring its success.
For most new companies, the easiest option to generate opportunities is “bootstrapping.” Learning how to bootstrap a web design business means knowing how to bring your business to life with virtually no starting capital.
Here’s how to get started.
What is Bootstrapping?
Successful bootstrappers take an idea, such as creating a web design company and create a fantastic company without the backing of investors. It takes significant dedication, commitment, and single-mindedness to accomplish your goals, but some of the world’s greatest entrepreneurs, like Steve Jobs and Sam Walton, got their start this way.
The term “bootstrapping” comes from the phrase “to pull yourself up by the bootstraps,” which indicates overcoming challenges on your own without any external support.
The pros and cons of bootstrapping include:
Pros:
Cons:
How to Bootstrap Your Web Design Business: Step by Step
Bootstrapping a web design business can be complicated, but it works for many companies if you follow the right strategy. The good news is web design companies generally don’t require as much initial capital as some other types of companies, like standard retail brands or companies with a need for brick and mortar offices.
However, there are still steps you’ll need to follow to ensure success.
Step 1: Source Some Initial Funds
While you might not work with investors when bootstrapping your web design business, you’ll still need some essential initial funds. To run a web design business, you won’t necessarily need a massive initial investment, but you will need something.
To determine how much capital you need to raise from your income, savings, a line of credit, or other common bootstrapping sources, think about:
Step 2: Find a USP
The easiest way to ensure a bootstrapped web design business is a success is to ensure you are offering specific clients something they genuinely need. In a service-based landscape like web design, you need to know what your customers want and offer something they can’t get elsewhere.
For instance, can you differentiate yourself from other web design companies by helping with modern trends like 360-degree video and XR-ready design? Can you build apps for companies from scratch and provide ongoing maintenance for the websites you make?
An excellent way to find your USP is to examine your competitors. Find out what other companies in your area are offering their customers, and listen to consumers in your industry when they talk about what they need from a website designer.
Step 3: Choose a Cash Flow Optimized Model
Since you’re relying only on your cash and the money you make from your web design business to fuel its growth, choosing a model optimized for consistent cash flow is essential. Bootstrapping a business often means you place most of the profit you gain from your company back into the development of the brand.
With this in mind, consider how you’ll offer services and charge your customers. Are you going to ask for a portion of the fees up-front before starting a web design project? Can you provide your customers with subscription models to improve your revenue consistently?
For instance, you could provide help with ongoing maintenance, development, and support rather than just offering to build websites for companies. Another way to make additional income is with professional services, like consulting.
Make sure there’s a market for the services you’ll offer before launching your business by examining the surrounding environments and services your competitors provide.
Step 4: Keep Costs Low and Profits High
Keeping costs low will be essential to ensuring your success when bootstrapping a business. Fortunately for web designers, it’s relatively easy to cut down on fees. For instance, WordPress is free to use for your development projects, making it an excellent choice for many web design strategies.
You can also look into common free and cheap alternatives to web design tools online, like GIMP. Shop around for the things you will be paying ongoing fees with. For instance, it’s best to check out multiple vendors when looking for web hosting and marketing support.
While keeping your costs low, it’s also essential to accelerate profits as much as possible. You can look for ways to boost customer retention by building stronger relationships with your clients and offering them deals on long-term subscriptions.
If you have time outside of your web design business, you can also try taking on some side hustles. Options include:
Step 5: Grow Cautiously
Finally, while the goal of successfully bootstrapping your web design business will be to grow as rapidly and consistently as possible, it’s important to be cautious. For instance, you’ll need to be able to afford the fees of every new designer you bring onto your team, so consider looking for freelancers and contractors rather than permanent hires.
Use organic channels for marketing your services, like blogging and content marketing which can help improve your SEO standing and attract attention among clients. Plus, encourage your customers to recommend your services to other brands.
As new clients approach your business, ensure you only take on as many customers as you can reasonably handle. Compromising on quality will damage your relationships with customers and harm your reputation.
Good Luck Bootstrapping Your Business
When you’re bootstrapping a business, you get the benefit of being able to eliminate any outside influences from your growth. You’re free to focus on building relationships with companies of your choice, and you get to make decisions about your growth. However, there are downsides, too, like significant stress and limited financial opportunities.
While bootstrapping your business is tough, if you manage to complete the process successfully, the results can be fantastic.
Featured image via Unsplash.
Source
The post How to Bootstrap a Web Design Business first appeared on Webdesigner Depot.
Source de l’article sur Webdesignerdepot
Top ALM Tools and Solutions Providers
Actualités, Méthodes et organisation des process ITA good application lifecycle management (ALM) package has software that is able to carefully manage and monitor all aspects of software development. ALM applications provide tools for managing and completing the phases of design, development, testing, deployment, and ongoing enhancements. With an ALM solution in place, organizations can significantly improve the way they design, build, test, and adapt their software. Greater customer satisfaction, speed of development, and reduction of cost is the often the result.
Top ALM Tools:
VersionOne
Source de l’article sur DZONE
C++ Creator Bjarne Stroustrup Interview
Actualités, Méthodes et organisation des process ITWe had a great talk with Bjarne Stroustrup, the designer and original implementer of C++. He is also the author of The C++ Programming Language (Fourth Edition), A Tour of C++ (Second Edition), Programming: Principles and Practice Using C++ (Second Edition), and many popular academic publications.
Enjoy the full interview below!
Source de l’article sur DZONE
7 UX Laws You’Re Probably Getting Wrong
Actualités, ActualitésUX laws are an invaluable tool, providing guidelines for designers that ensure we don’t have to continually reinvent the wheel when crafting experiences for the web.
However, UX laws tend to be devised by scientists and psychologists — people who are more than comfortable with the exceptions and allowances of academic language. By the time they filter down to us in the trenches, the language has invariably been over-simplified, and the wisdom behind the idea diluted.
Today we’re going to look at seven well-known and commonly cited rules of UX design that too many designers get wrong.
1. Jakob’s Law
Jakob’s Law, named for the UX researcher Jakob Nielsen, states that users spend most of their time on other sites and as a result prefer sites that work the same way as the sites they already know.
Jakob’s Law has often been used to limit experimentation and encourage the adoption of common design patterns in the name of usability.
However, the word ‘prefer’ is hugely loaded. While it’s true that a user will more easily understand a familiar design pattern, they do not necessarily prefer familiar experiences.
It has been widely proved that new experiences boost our mood and that new experiences improve our memory. If your goal is a memorable site that leaves users with a positive impression, introducing novelty is a sound decision.
2. Goal Gradient Hypothesis
The Goal Gradient Hypothesis assumes that the closer users are to their goal, the more likely they are to complete it.
It’s an attractive theory, especially in e-commerce, where it is often used to justify simplifying the initial purchase process and postponing complexity to move users along the funnel — a typical example is leaving shipping charges until the final step.
However, anyone who has studied e-commerce analytics will know that cart abandonment is a huge issue. In North America, shopping cart abandonment is as high as 74%.
We don’t always know what the user’s goals are, and they may not match ours. It may be that users are treating your shopping cart as a bookmark feature, it may be that they have a last-minute change of heart, or they may be horrified by the shipping charges.
While providing a user with an indication of their progress is demonstrably helpful, artificially inflating their proximity to your preferred goal may actually hinder conversions.
3. Miller’s Law
Never in the whole of human history has any scientific statement been as misunderstood as Miller’s Law.
Miller’s Law states that an average person can only hold seven, plus or minus two (i.e., 5–9) items in their working memory. This has frequently been used to restrict UI navigation to no more than five items.
However, Miller’s Law does not apply to items being displayed. While it’s true that too many options can lead to choice paralysis, a human being is capable of considering more than nine different items.
Miller’s Law only applies to UI elements like carousels, which have been widely discredited for other reasons.
4. Aesthetic-Usability Effect
Edmund Burke once said, “Beauty is the promise of happiness.” That belief is central to the Aesthetic-Usability Effect, which posits that users expect aesthetically pleasing designs to be more usable.
Designers often use this as a justification for grey-on-grey text, slick animations, and minimal navigation.
Critical to understanding this is that just because users expect a design to be usable does not mean that it is or that they will find it so. Expectations can quickly be dashed, and disappointment often compounds negative experiences.
5. Peak-End Rule
The Peak-End Rule states that users judge an experience based on how they felt at the peak and the end, rather than an average of the experience.
Designers commonly use the Peak-End Rule to focus design resources on the primary goal of each experience (e.g. adding an item to a cart) and the closing experience (e.g. paying for the item).
However, while the Peak-End Law is perfectly valid, it cannot apply to open experiences like websites when it is impossible to identify a user’s starting or ending point.
Additionally, it is easy to see every interaction on a website as a peak and even easier to make assumptions as to which peak is most important. As such, while designing for peaks is attractive, it’s more important to design for exceptions.
6. Fitts’ Law
In the 1950s, Paul Fitts demonstrated that the distance to, and size of a target, affect the error rate of selecting that target. In other words, it’s harder to tap a small button and exponentially harder to tap a small button that is further away.
UX designers commonly apply this law when considering mobile breakpoints due to the relatively small viewport. However, mobile viewports tend not to be large enough for any distance to affect tap accuracy.
Fitts’ Law can be applied to desktop breakpoints, as the distances on a large monitor can be enough to have an impact. However, the majority of large viewports use a mouse, which allows for positional corrections before tapping.
Tappable targets should be large enough to be easily selected, spaced sufficiently, and tab-selection should be enabled. But distance has minimal impact on web design.
7. Occam’s Razor
No collection of UX laws would be complete without Occam’s Razor; unfortunately, this is another law that is commonly misapplied.
Occam’s Razor states that given any choice, the option with the least assumptions (note: not necessarily the simplest, as it is often misquoted) is the correct choice.
In an industry in which we have numerous options to test, measure, and analyze our user interfaces, you shouldn’t need to make assumptions. Even when we don’t need extensive UX testing, we can make decisions based on other designers’ findings.
Occam’s Razor is a classic design trap: the key to avoiding it is to recognize that it’s not your assumptions that matter, it’s the users’. As such, Occam’s Razor applies to a user’s experience, not a design process.
Source
The post 7 UX Laws You’Re Probably Getting Wrong first appeared on Webdesigner Depot.
Source de l’article sur Webdesignerdepot
How to Translate Value to Executives Using an Outcome-Driven Mindset
Actualités, Méthodes et organisation des process ITAn IT project is never an end in itself, but a means to attain a business objective. In this day and age, when leaders and decision-makers are exposed to buzzwords, frameworks, and tech trends constantly, it is more important than ever to take a step back and reflect on the business goal before deciding on the technological way to get there.
Decades after the advent of information technology, the challenge remains the same: to successfully apply IT practices that improve revenue streams and unlock new DevOps opportunities. Organizations urgently need to establish frameworks to manage information systems and apply them to daily operations, contributing to delivering business value and improving economic performance.
Source de l’article sur DZONE
Popular Design News of the Week: June 13, 2022 – June 19, 2022
Actualités, ActualitésEvery day design fans submit incredible industry stories to our sister-site, Webdesigner News. Our colleagues sift through it, selecting the very best stories from the design, UX, tech, and development worlds and posting them live on the site.
The best way to keep up with the most important stories for web professionals is to subscribe to Webdesigner News or check out the site regularly. However, in case you missed a day this week, here’s a handy compilation of the top curated stories from the last seven days. Enjoy!
CSS.GUI – Open Source Visual Editor for CSS
Meet Web Push
Mobile-First CSS: Is it Time for a Rethink?
Web5 Is Here, Goodbye Web3? TBD
Nosignup.tools – Free Web Apps that Don’t Require Signup
Hello – The Best Search Engine for Software Developers
Exciting New Tools for Designers, June 2022
Adobe Plans to Make Photoshop on the Web Free to Everyone
8 CSS Snippets that Demonstrate the Power of Shadow Effects
Tango 2.0 – Automatically Generate Step-by-step Guides for your Team
Understanding the Template Element in HTML
Random Emoji Generator – Have Fun with Emojis
Source
The post Popular Design News of the Week: June 13, 2022 – June 19, 2022 first appeared on Webdesigner Depot.
Source de l’article sur Webdesignerdepot