Now Available – Second-Generation FPGA-Powered Amazon EC2 instances (F2)

This post was originally published on this site

Equipped with up to eight AMD Field-Programmable Gate Arrays (FPGAs), AMD EPYC (Milan) processors with up to 192 cores, High Bandwidth Memory (HBM), up to 8 TiB of SSD-based instance storage, and up to 2 TiB of memory, the new F2 instances are available in two sizes, and are ready to accelerate your genomics, multimedia processing, big data, satellite communication, networking, silicon simulation, and live video workloads.

A Quick FPGA Recap
Here’s how I explained the FPGA model when we previewed the first generation of FPGA-powered Amazon Elastic Compute Cloud (Amazon EC2) instances

One of the more interesting routes to a custom, hardware-based solution is known as a Field Programmable Gate Array, or FPGA. In contrast to a purpose-built chip which is designed with a single function in mind and then hard-wired to implement it, an FPGA is more flexible. It can be programmed in the field, after it has been plugged in to a socket on a PC board. Each FPGA includes a fixed, finite number of simple logic gates. Programming an FPGA is “simply” a matter of connecting them up to create the desired logical functions (AND, OR, XOR, and so forth) or storage elements (flip-flops and shift registers). Unlike a CPU which is essentially serial (with a few parallel elements) and has fixed-size instructions and data paths (typically 32 or 64 bit), the FPGA can be programmed to perform many operations in parallel, and the operations themselves can be of almost any width, large or small.

Since that launch, AWS customers have used F1 instances to host many different types of applications and services. With a newer FPGA, more processing power, and more memory bandwidth, the new F2 instances are an even better host for highly parallelizable, compute-intensive workloads.

Each of the AMD Virtex UltraScale+ HBM VU47P FPGAs has 2.85 million system logic cells and 9,024 DSP slices (up to 28 TOPS of DSP compute performance when processing INT8 values). The FPGA Accelerator Card associated with each F2 instance provides 16 GiB of High Bandwidth Memory and 64 GiB of DDR4 memory per FPGA.

Inside the F2
F2 instances are powered by 3rd generation AMD EPYC (Milan) processors. In comparison to F1 instances, they offer up to 3x as many processor cores, up to twice as much system memory and NVMe storage, and up to 4x the network bandwidth. Each FPGA comes with 16 GiB High Bandwidth Memory (HBM) with up to 460 GiB/s bandwidth. Here are the instance sizes and specs:

Instance Name vCPUs
FPGAs
FPGA Memory
HBM / DDR4
Instance Memory
NVMe Storage
EBS Bandwidth
Network Bandwidth
f2.12xlarge 48 2 32 GiB /
128 GiB
512 GiB 1900 GiB
(2x 950 GiB)
15 Gbps 25 Gbps
f2.48xlarge 192 8 128 GiB /
512 GiB
2,048 GiB 7600 GiB
(8x 950 GiB)
60 Gbps 100 Gbps

The high-end f2.48xlarge instance supports the AWS Cloud Digital Interface (CDI) to reliably transport uncompressed live video between applications, with instance-to-instance latency as low as 8 milliseconds.

Building FPGA Applications
The AWS EC2 FPGA Development Kit contains the tools that you will use to develop, simulate, debug, compile, and run your hardware-accelerated FPGA applications. You can launch the kit’s FPGA Developer AMI on a memory-optimized or compute-optimized instance for development and simulation, then use an F2 instance for final debugging and testing.

The tools included in the developer kit support a variety of development paradigms, tools, accelerator languages, and debugging options. Regardless of your choice, you will ultimately create an Amazon FPGA Image (AFI) which contains your custom acceleration logic and the AWS Shell which implements access to the FPGA memory, PCIe bus, interrupts, and external peripherals. You can deploy AFIs to as many F2 instances as desired, share with other AWS accounts or publish on AWS Marketplace.

If you have already created an application that runs on F1 instances, you will need to update your development environment to use the latest AMD tools, then rebuild and validate before upgrading to F2 instances.

FPGA Instances in Action
Here are some cool examples of how F1 and F2 instances can support unique and highly demanding workloads:

Genomics – Multinational pharmaceutical and biotechnology company AstraZeneca used thousands of F1 instances to build the world’s fastest genomics pipeline, able to process over 400K whole genome samples in under two months. They will adopt Illumina DRAGEN for F2 to realize better performance at a lower cost, while accelerating disease discovery, diagnosis, and treatment.

Satellite Communication – Satellite operators are moving from inflexible and expensive physical infrastructure (modulators, demodulators, combiners, splitters, and so forth) toward agile, software-defined, FPGA-powered solutions. Using the digital signal processor (DSP) elements on the FPGA, these solutions can be reconfigured in the field to support new waveforms and to meet changing requirements. Key F2 features such as support for up to 8 FPGAs per instance, generous amounts of network bandwidth, and support for the Data Plan Development Kit (DPDK) using Virtual Ethernet can be used to support processing of multiple, complex waveforms in parallel.

AnalyticsNeuroBlade‘s SQL Processing Unit (SPU) integrates with Presto, Apache Spark, and other open source query engines, delivering faster query processing and market-leading query throughput efficiency when run on F2 instances.

Things to Know
Here are a couple of final things that you should know about the F2 instances:

Regions – F2 instances are available today in the US East (N. Virginia) and Europe (London) AWS Regions, with plans to extend availability to additional regions over time.

Operating Systems – F2 instances are Linux-only.

Purchasing Options – F2 instances are available in On-Demand, SpotSavings Plan, Dedicated Instance, and Dedicated Host form.

Jeff;

Apple Updates Everything (iOS, iPadOS, macOS, watchOS, tvOS, visionOS), (Wed, Dec 11th)

This post was originally published on this site

Apple today released patches for all of its operating systems. The updates address 46 different vulnerabilities. Many of the vulnerabilities affect more than one operating system. None of the vulnerabilities are labeled as being already exploited.

 

iOS 18.2 and iPadOS 18.2 iPadOS 17.7.3 macOS Sequoia 15.2 macOS Sonoma 14.7.2 macOS Ventura 13.7.2 watchOS 11.2 tvOS 18.2 visionOS 2.2
CVE-2023-32395: An app may be able to modify protected parts of the file system.
Affects Perl
    x          
CVE-2024-44201: Processing a malicious crafted file may lead to a denial-of-service.
Affects libarchive
  x   x x      
CVE-2024-44220: Parsing a maliciously crafted video file may lead to unexpected system termination.
Affects AppleGraphicsControl
    x x        
CVE-2024-44224: A malicious app may be able to gain root privileges.
Affects StorageKit
    x x x      
CVE-2024-44225: An app may be able to gain elevated privileges.
Affects libxpc
x x x x x x x  
CVE-2024-44243: An app may be able to modify protected parts of the file system.
Affects StorageKit
    x          
CVE-2024-44245: An app may be able to cause unexpected system termination or corrupt kernel memory.
Affects Kernel
x x x x       x
CVE-2024-44246: On a device with Private Relay enabled, adding a website to the Safari Reading List may reveal the originating IP address to the website.
Affects Safari
x x x          
CVE-2024-44248: A user with screen sharing access may be able to view another user's screen.
Affects Screen Sharing Server
      x x      
CVE-2024-44291: A malicious app may be able to gain root privileges.
Affects Foundation
    x x x      
CVE-2024-44300: An app may be able to access protected user data.
Affects Crash Reporter
    x x x      
CVE-2024-54465: An app may be able to elevate privileges.
Affects LaunchServices
    x          
CVE-2024-54466: An encrypted volume may be accessed by a different user without prompting for the password.
Affects DiskArbitration
    x x x      
CVE-2024-54476: An app may be able to access user-sensitive data.
Affects PackageKit
    x x x      
CVE-2024-54477: An app may be able to access user-sensitive data.
Affects Apple Software Restore
    x x x      
CVE-2024-54479: Processing maliciously crafted web content may lead to an unexpected process crash.
Affects WebKit
  x            
CVE-2024-54484: An app may be able to access user-sensitive data.
Affects MediaRemote
    x          
CVE-2024-54485: An attacker with physical access to an iOS device may be able to view notification content from the lock screen.
Affects VoiceOver
x x            
CVE-2024-54486: Processing a maliciously crafted font may result in the disclosure of process memory.
Affects FontParser
x x x x x x x x
CVE-2024-54489: Running a mount command may unexpectedly execute arbitrary code.
Affects Disk Utility
    x x x      
CVE-2024-54490: A local attacker may gain access to user's Keychain items.
Affects AppleMobileFileIntegrity
    x          
CVE-2024-54491: A malicious application may be able to determine a user's current location.
Affects Logging
    x          
CVE-2024-54492: An attacker in a privileged network position may be able to alter network traffic.
Affects Passwords
x x x         x
CVE-2024-54493: Privacy indicators for microphone access may be attributed incorrectly.
Affects Shortcuts
    x          
CVE-2024-54494: An attacker may be able to create a read-only memory mapping that can be written to.
Affects Kernel
x x x x x x x x
CVE-2024-54495: An app may be able to modify protected parts of the file system.
Affects Swift
    x x        
CVE-2024-54498: An app may be able to break out of its sandbox.
Affects SharedFileList
    x x x      
CVE-2024-54500: Processing a maliciously crafted image may result in disclosure of process memory.
Affects ImageIO
x x x x x x x x
CVE-2024-54501: Processing a maliciously crafted file may lead to a denial of service.
Affects SceneKit
x x x x x x x x
CVE-2024-54502: Processing maliciously crafted web content may lead to an unexpected process crash.
Affects WebKit
x   x     x x x
CVE-2024-54503: Muting a call while ringing may not result in mute being enabled.
Affects Audio
x              
CVE-2024-54504: An app may be able to access user-sensitive data.
Affects Notification Center
    x          
CVE-2024-54505: Processing maliciously crafted web content may lead to memory corruption.
Affects WebKit
x x x     x x x
CVE-2024-54506: An attacker may be able to cause unexpected system termination or arbitrary code execution in DCP firmware.
Affects IOMobileFrameBuffer
    x          
CVE-2024-54508: Processing maliciously crafted web content may lead to an unexpected process crash.
Affects WebKit
x   x     x x x
CVE-2024-54510: An app may be able to leak sensitive kernel state.
Affects Kernel
x x x x x x x  
CVE-2024-54513: An app may be able to access sensitive user data.
Affects Crash Reporter
x   x     x x x
CVE-2024-54514: An app may be able to break out of its sandbox.
Affects libxpc
x   x x x x x  
CVE-2024-54515: A malicious app may be able to gain root privileges.
Affects SharedFileList
    x          
CVE-2024-54524: A malicious app may be able to access arbitrary files.
Affects SharedFileList
    x          
CVE-2024-54526: A malicious app may be able to access private information.
Affects AppleMobileFileIntegrity
x   x x x x x  
CVE-2024-54527: An app may be able to access sensitive user data.
Affects AppleMobileFileIntegrity
x   x x x x x  
CVE-2024-54528: An app may be able to overwrite arbitrary files.
Affects SharedFileList
    x x x      
CVE-2024-54529: An app may be able to execute arbitrary code with kernel privileges.
Affects Audio
    x x x      
CVE-2024-54531: An app may be able to bypass kASLR.
Affects Kernel
    x          
CVE-2024-54534: Processing maliciously crafted web content may lead to memory corruption.
Affects WebKit
x   x     x x x

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft Patch Tuesday: December 2024, (Tue, Dec 10th)

This post was originally published on this site

Microsoft today released patches for 71 vulnerabilities. 16 of these vulnerabilities are considered critical. One vulnerability (CVE-2024-49138) has already been exploited, and details were made public before today's patch release.

Significant Vulnerabilities

CVE-2024-49138: This vulnerability affects the Windows Common Log File System Driver, a subsystem affected by similar privilege escalation vulnerabilities in the past. The only reason I consider this "significant" is that it is already being exploited.

Windows Remote Desktop Services: 9 of the 16 critical vulnerabilities affect Windows Remote Desktop Services. Exploitation may lead to remote code execution. Microsoft considers the exploitation of these vulnerabilities less likely. Even without considering these vulnerabilities, Windows Remote Desktop Service should not be exposed to the internet.

LDAP: Remote code execution vulnerabilities in the LDAP service are always "interesting" given the importance of LDAP as part of Active Directory. Two critical vulnerabilities are patched for LDAP. One with a CVSS score of 9.8. A third critical vulnerability affects the LDAP client.

CVE-2024-49126: LSASS vulnerabilities always make me reminisce of the "Blaster" worm and the related vulnerability back in the day. This one does involve a race condition, which will make exploitation more difficult. It could become an interesting lateral movement vulnerability if a reliable exploit materializes.

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
Input Method Editor (IME) Remote Code Execution Vulnerability
%%cve:2024-49079%% No No Important 7.8 6.8
Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability
%%cve:2024-49124%% No No Critical 8.1 7.1
Microsoft Access Remote Code Execution Vulnerability
%%cve:2024-49142%% No No Important 7.8 6.8
Microsoft Defender for Endpoint on Android Spoofing Vulnerability
%%cve:2024-49057%% No No Important 8.1 7.1
Microsoft Edge (Chromium-based) Spoofing Vulnerability
%%cve:2024-49041%% No No Less Likely Less Likely Moderate 4.3 3.8
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2024-49069%% No No Important 7.8 6.8
Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability
%%cve:2024-49096%% No No Important 7.5 6.5
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
%%cve:2024-49122%% No No Critical 8.1 7.1
%%cve:2024-49118%% No No Critical 8.1 7.1
Microsoft Office Defense in Depth Update
ADV240002 No No Moderate    
Microsoft Office Elevation of Privilege Vulnerability
%%cve:2024-49059%% No No Important 7.0 6.1
%%cve:2024-43600%% No No Important 7.8 6.8
Microsoft Office Remote Code Execution Vulnerability
%%cve:2024-49065%% No No Important 5.5 4.8
Microsoft SharePoint Elevation of Privilege Vulnerability
%%cve:2024-49068%% No No Important 8.2 7.1
Microsoft SharePoint Information Disclosure Vulnerability
%%cve:2024-49064%% No No Important 6.5 5.7
%%cve:2024-49062%% No No Important 6.5 5.7
Microsoft SharePoint Remote Code Execution Vulnerability
%%cve:2024-49070%% No No Important 7.4 6.4
Microsoft/Muzic Remote Code Execution Vulnerability
%%cve:2024-49063%% No No Important 8.4 7.3
System Center Operations Manager Elevation of Privilege Vulnerability
%%cve:2024-43594%% No No Important 7.3 6.4
Windows Domain Name Service Remote Code Execution Vulnerability
%%cve:2024-49091%% No No Important 7.2 6.3
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
%%cve:2024-49114%% No No Important 7.8 6.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
%%cve:2024-49088%% No No Important 7.8 6.8
%%cve:2024-49090%% No No Important 7.8 6.8
%%cve:2024-49138%% Yes Yes Important 7.8 6.8
Windows File Explorer Information Disclosure Vulnerability
%%cve:2024-49082%% No No Important 6.8 5.9
Windows Hyper-V Remote Code Execution Vulnerability
%%cve:2024-49117%% No No Critical 8.8 7.7
Windows IP Routing Management Snapin Remote Code Execution Vulnerability
%%cve:2024-49080%% No No Important 8.8 7.7
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2024-49084%% No No Important 7.0 6.1
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
%%cve:2024-49074%% No No Important 7.8 6.8
Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
%%cve:2024-49121%% No No Important 7.5 6.5
%%cve:2024-49113%% No No Important 7.5 6.5
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
%%cve:2024-49112%% No No Critical 9.8 8.5
%%cve:2024-49127%% No No Critical 8.1 7.1
Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability
%%cve:2024-49126%% No No Critical 8.1 7.1
Windows Mobile Broadband Driver Elevation of Privilege Vulnerability
%%cve:2024-49073%% No No Important 6.8 5.9
%%cve:2024-49092%% No No Important 6.8 5.9
%%cve:2024-49077%% No No Important 6.8 5.9
%%cve:2024-49078%% No No Important 6.8 5.9
%%cve:2024-49083%% No No Important 6.8 5.9
%%cve:2024-49110%% No No Important 6.8 5.9
Windows Mobile Broadband Driver Information Disclosure Vulnerability
%%cve:2024-49087%% No No Important 4.6 4.0
Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability
%%cve:2024-49097%% No No Important 7.0 6.1
%%cve:2024-49095%% No No Important 7.0 6.1
Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability
%%cve:2024-49129%% No No Important 7.5 6.5
Windows Remote Desktop Services Remote Code Execution Vulnerability
%%cve:2024-49106%% No No Critical 8.1 7.1
%%cve:2024-49108%% No No Critical 8.1 7.1
%%cve:2024-49115%% No No Critical 8.1 7.1
%%cve:2024-49119%% No No Critical 8.1 7.1
%%cve:2024-49120%% No No Critical 8.1 7.1
%%cve:2024-49123%% No No Critical 8.1 7.1
%%cve:2024-49132%% No No Critical 8.1 7.1
%%cve:2024-49116%% No No Critical 8.1 7.1
%%cve:2024-49128%% No No Critical 8.1 7.1
Windows Remote Desktop Services Denial of Service Vulnerability
%%cve:2024-49075%% No No Important 7.5 6.5
Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability
%%cve:2024-49093%% No No Important 8.8 7.7
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
%%cve:2024-49085%% No No Important 8.8 7.7
%%cve:2024-49086%% No No Important 8.8 7.7
%%cve:2024-49089%% No No Important 7.2 6.3
%%cve:2024-49102%% No No Important 8.8 7.7
%%cve:2024-49104%% No No Important 8.8 7.7
%%cve:2024-49125%% No No Important 8.8 7.7
Windows Task Scheduler Elevation of Privilege Vulnerability
%%cve:2024-49072%% No No Important 7.8 6.8
Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability
%%cve:2024-49076%% No No Important 7.8 6.8
Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability
%%cve:2024-49098%% No No Important 4.3 3.8
%%cve:2024-49099%% No No Important 4.3 3.8
%%cve:2024-49103%% No No Important 4.3 3.8
Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability
%%cve:2024-49094%% No No Important 6.6 5.8
%%cve:2024-49101%% No No Important 6.6 5.8
%%cve:2024-49111%% No No Important 6.6 5.8
%%cve:2024-49081%% No No Important 6.6 5.8
%%cve:2024-49109%% No No Important 6.6 5.8
WmsRepair Service Elevation of Privilege Vulnerability
%%cve:2024-49107%% No No Important 7.3 6.4


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[Guest Diary] Business Email Compromise, (Thu, Dec 5th)

This post was originally published on this site

[This is a Guest Diary by Chris Kobee, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].

Business Email Compromise (BEC) is a lucrative attack, which FBI data shows 51 billion dollars in losses between 2013 to 2022 [2]. According to SentinelOne, nearly all cybersecurity attacks (98%) contain a social engineering component [3].The social engineering attacks include phishing, spear phishing, smishing, whaling , etc.  Figure 1 is a distribution of social engineering attacks from Statista depicting Scamming, Phishing, and BEC attacks worldwide [4]. Scamming is the leader, followed by Phishing and BEC [5]. BEC and other social engineering attacks are the path of least resistance with a high rate of success versus attempting technical network intrusions.

In May 2024, a significant cybersecurity incident unfolded within an organization, showcasing the vulnerabilities that can arise from BEC harvesting user credentials and the exploitation of cloud services like Microsoft 365  . This post aims to break down the events, identify the vulnerabilities exploited, and review implemented and proposed mitigations to thwart similar threats.
 


Figure 1: Distribution of Worldwide Social Engineering Attacks

Organization Incident Overview

From May 20 to 23, 2024, a threat actor successfully accessed a Microsoft 365 account belonging to a user in the organization’s accounting department with the user’s valid credentials. The actor manipulated account details in a pending invoice and redirected funds to their own bank account. The incident was characterized by several key actions  beginning on May 20 when the actor successfully logged into the Microsoft 365 account after a rejection pattern of an expired session ID and MFA denials. 

The actor conducted reconnaissance on May 22, potentially identifying the pending vendor invoices for payment. The attacker logged into the user’s email account on May 23rd and created a new inbox rule to direct any correspondence with the vendor organization’s name to the RSS Feeds folder in the inbox. The actor altered the target document and sent it to the next stage in the approval process. The accounting department’s processes broke down and did not catch spelling and grammar errors that could have tipped off potential fraud. The document was approved, the ACH payment was authorized, and payment was completed. The organization’s Managed Service Provider/Managed Security Service Provider (MSP/MSSP) receive an alert and re-secured the account later in the early evening, effectively locking out the actor. Figures 2 and 3 display a high-level summary of the events and timeline. 


Figure 2: Business Email Compromise Attack Timeline

 


Figure 3: Threat Actor Login Attempts

Initial Access

The  attacker logged into the organization's M365 tenant using compromised credentials on May 20, 2024, and re-entered the system on May 22 for reconnaissance. The actor appears to have conducted reconnaissance on May 22 for approximately thirty-four minutes, during which the pending invoice was potentially discovered.

Fraud Executed

On May 23, the attacker logged into the email exchange and executed bank fraud by altering the invoice's destination bank account. They also implemented new inbox rules  (Figure 4) within the Outlook account to obscure their activities by redirecting any email traffic with the vendor’s name to an obscure folder. The newly created inbox rules, one rule for each organizational name the vendor employs, directed any incoming communications to the RSS Feeds folder for obscurity from the authorized account user. The target vendor was purchased by another company and sends correspondence from both companies, which the attacker covered with both rules. The attacker sent the fraudulent invoice to the next accounting staff member for further processing. 


Figure 4: Threat Actor Action on Objective

 

Covered Tracks 

The threat actor attempted to cover their actions by deleting items and folders created while in the organization’s cloud account (Figure 5),  withdrew the funds shortly after the transfer, and closed the bank account. The organization reached out to the actor’s financial institution to reverse the payment, but the financial institution rejected the request to reverse the payment due to the account closure.


Figure 5: Threat Actor’s Covering Tracks Attempt

Detection 

The organization's MSP/MSSP detected an unusual inbox rule change and resecured the compromised account (Figure 6), but not before the attacker could execute their plan. 


Figure 6: Threat Actor Activity Detected by MSP/MSSP

 

Analysis 

Analysis of the logs, provided by the Cloud Service Provider, suggests MFA was bypassed and potential collusion or manipulation of the organization’s assigned user. Further research revealed a CVE written against the Microsoft Authenticator application employed by the organization on company issue and BYOD mobile devices.

Multi-Factor Authentication (MFA)

MFA was enabled during the attack, with logs indicating the attacker faced several denied attempts before successfully logging in. This suggests potential insider collusion, manipulation of the authorized user, and/or an Attacker-in-the-Middle tool, such as evilginx2 [5] or later version used for to phish user credentials, session cookies, and bypass MFA. Figure 7 depicts the pattern of a failed login with an expired session ID, followed by three failed logins due to MFA denials, and a successful login on May 20th and 22nd [6]. 
 


Figure 7: Threat Actor Login Attempt Pattern

 

Vulnerability in Microsoft Authenticator

The incident points to a specific vulnerability (CVE-2024-21390) in the Microsoft Authenticator application (Figure 5), which can be exploited if an attacker gains access to the user's local device and convinces the user to relaunch the authenticator app [7][8]. The threat actor potentially compromised the user’s mobile device through malware delivered via phishing or smishing vector allowing the opportunity to manipulate the user to close and re-launch the application on the mobile device.
 


Figure 8: Microsoft Authenticator Vulnerability

 

Conclusion, Mitigations, Lessons Learned

Business Email Compromise was the main factor in this attack as the threat actor used it as the attack vector and sent emails between the accounting department from the compromised user’s account to commit bank fraud. The attacker most likely obtained the user’s credentials through a phishing email tricking the user into clicking a link and inputting credentials on a web page highly resembling a Microsoft login page. Due to the nature of the Cloud Service Provider (CSP) / Cloud Customer Software as a Service (SaaS) model employed by organization, limited logging and insights are available, as the CSP manages the lower network layers. Analysis of the provided logs suggests that MFA was enabled and operational before, during, and after the incident. The pattern of MFA rejections with the error code long description defined by Microsoft as "Strong authentication is required and the user did not pass the MFA challenge" indicates potential insider collusion (witting or unwitting) to authenticate the attacker, but the rapid succession of MFA denials before the successful login is evidence of an automated attack, such as evilginx2 interacting with the MFA server.

After a thorough review, the organization found gaps in log auditing by the organization and the MSP/MSSP, as well as process gaps in the affected department. MFA and password complexity were in place, but appear to have been bypassed. The MSP/MSSP alerting process operated successfully, allowing the account to be re-secured quickly to prevent further lateral movement, privilege escalation, or establishment of a C2 channel. The following Information Security mitigations were adopted to address the gaps:

  • All corporate personnel involved in accounting related duties were issued digital signature tokens from an external certification authority to enforce non-repudiation. Digitally signed emails provide recipients in the accounting department with validation the sender is the authorized user.
  • Internal IT/Cybersecurity personnel audit authentication logs provided by MSP/MSSP monthly.
  • Organization confirmed log retention of one year.
  • Confirmed through MSP/MSSP the Microsoft Authenticator application is the current patched version.
  • Developing a corporate phishing simulation program based on the Gophish open-source framework with custom python automation scripts.
  • Increasing the frequency of phishing email and social engineering bulletins and awareness training.

Lessons Learned:

  • Technical: Ensure authentication applications are patched and updated.
  • Training and Awareness: Increase organizational awareness of malicious phishing and smishing attempts.
  • Policy: Ensure data and document flow policies are understood and followed.
  • Policy/Compliance: Continue to improve Cybersecurity posture by working closer with the MSP/MSSP to ensure controls and policies are clear, updated, and enforced.

Organizations can apply the lessons learned in this post to avoid the financial losses and compliance reporting requirements this target organization suffered. Training and awareness coupled with continuous improvement in Cybersecurity posture will harden the organizations users and systems against social engineering and technical network attacks and intrusions.

 

[1] https://www.sans.edu/cyber-security-programs/bachelors-degree/
[2] https://abnormalsecurity.com/blog/fbi-bec-51-billion-threat
[3] https://www.sentinelone.com/cybersecurity-101/cybersecurity/cyber-security-statistics/#:~:text=Almost%20all%20(98%25)%20cyberattacks,individuals%20into%20divulging%20sensitive%20information
[4] https://www.statista.com/statistics/1493497/globla-social-engineering-attack-by-type/
[5] https://www.kali.org/tools/evilginx2/
[6] https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes
[7] https://nvd.nist.gov/vuln/detail/CVE-2024-21390
[8] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21390

 

 


Jesse La Grew
Handler

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Introducing Buy with AWS: an accelerated procurement experience on AWS Partner sites, powered by AWS Marketplace

This post was originally published on this site

Today, we are announcing Buy with AWS, a new way to discover and purchase solutions available in AWS Marketplace from AWS Partner sites. You can use Buy with AWS to accelerate and streamline your product procurement process on websites outside of Amazon Web Services (AWS). This feature provides you the ability to find, try, and buy solutions from Partner websites using your AWS account

AWS Marketplace is a curated digital store for you to find, buy, deploy, and manage cloud solutions from Partners. Buy with AWS is another step towards AWS Marketplace making it easy for you to find and procure the right Partner solutions, when and where you need them. You can conveniently find and procure solutions in AWS Marketplace, through integrated AWS service consoles, and now on Partner websites.

Accelerate cloud solution discovery and evaluation

You can now discover solutions from Partners available for purchase through AWS Marketplace as you explore solutions on the web beyond AWS.

Look for products that are “Available in AWS Marketplace” when browsing on Partner sites, then accelerate your evaluation process with fast access to free trials, demo requests, and inquiries for custom pricing.

For example, I want to evaluate Wiz to see how it can help with my cloud security requirements. While browsing the Wiz website, I come across a page where I see “Connect Wiz with Amazon Web Services (AWS)”.

Wiz webpage featuring Buy With AWS

I choose Try with AWS. It asks me to sign in to my AWS account if I’m not signed in already. I’m then presented with a Wiz and AWS co-branded page for me to sign up for the free trial.

Wiz and AWS co-branded page to sign up for free trial using Buy with AWS through AWS Marketplace

The discovery experience that you see will vary depending on type of the Partner website you’re shopping from. Wiz is an example of how Buy with AWS can be implemented by an independent software vendor (ISV). Now, let’s look at an example of an AWS Marketplace Channel Partner, or reseller, who operates a storefront of their own.

I browse to the Bytes storefront with product listings from AWS Marketplace. I have the option to filter and search from the curated product listings, which are available in AWS Marketplace, on the Bytes site.

Bytes storefront with product listings from AWS Marketplace

I choose View Details for Fortinet and see an option to Request Private Offer from AWS.

Bytes storefront with option to Request Private Offer for Fortinet from AWS Marketplace

As you can tell, on a Channel Partner site, you can browse curated product listings available in AWS Marketplace, filter products, and request custom pricing directly from their website.

Streamline product procurement on AWS Partner sites
I had a seamless experience using Buy with AWS to access a free trial for Wiz and browse through the Bytes storefront to request a private offer.

Now I want to try Databricks for one of the applications I’m building. I sign up for a Databricks trial through their website.

Database homepage after login with option to Upgrade

I chose Upgrade and see Databricks is available in AWS Marketplace, which gives me the option to Buy with AWS.

Option to upgrade to Databricks premium using Buy with AWS feature of AWS marketplace

I choose Buy with AWS, and after I sign in to my AWS account, I land on a Databricks and AWS Marketplace co-branded procurement page.

Databricks and AWS co-branded page to subscribe using Buy with AWS

I complete the purchase on the co-branded procurement page and continue to set up my Databricks account.

Databricks and AWS co-branded page after subscribing using Buy with AWS

As you can tell, I didn’t have to navigate the challenge of managing procurement processes for multiple vendors. I also didn’t have to speak with a sales representative or onboard a new vendor in my billing system, which would have required multiple approvals and delayed the overall process.

Access centralized billing and benefits through AWS Marketplace
Because Buy with AWS purchases are transacted through and managed in AWS Marketplace, you also benefit from the post-purchase experience of AWS Marketplace, including consolidated AWS billing, centralized subscription management, and access to cost optimization tools.

For example, through the AWS Billing and Cost Management console, I can centrally manage all my AWS purchases, including Buy with AWS purchases, from one dashboard. I can easily access and process invoices for all of my organization’s AWS purchases. I also need to have valid AWS Identity and Access Management (IAM) permissions to manage subscriptions and make a purchase through AWS Marketplace.

AWS Marketplace not only simplifies my billing but also helps in maintaining governance over spending by helping me manage purchasing authority and subscription access for my organization with centralized visibility and controls. I can manage my budget with pricing flexibility, cost transparency, and AWS cost management tools.

Buy with AWS for Partners
Buy with AWS enables Partners who sell or resell products in AWS Marketplace to create new solution discovery and buying experiences for customers on their own websites. By adding call to action (CTA) buttons to their websites such as “Buy with AWS”, “Try free with AWS”, “Request private offer”, and “Request demo”, Partners can help accelerate product evaluation and the path-to-purchase for customers.

By integrating with AWS Marketplace APIs, Partners can display products from the AWS Marketplace catalog, allow customers to sort and filter products, and streamline private offers. Partners implementing Buy with AWS can access AWS Marketplace creative and messaging resources for guidance on building their own web experiences. Partners who implement Buy with AWS can access metrics for insights into engagement and conversion performance.

The Buy with AWS onboarding guide in the AWS Marketplace Management Portal details how Partners can get started.

Learn more
Visit the Buy with AWS page to learn more and explore Partner sites that offer Buy with AWS.

To learn more about selling or reselling products using Buy with AWS on your website, visit:

Prasad

Accelerate foundation model training and fine-tuning with new Amazon SageMaker HyperPod recipes

This post was originally published on this site

Today, we’re announcing the general availability of Amazon SageMaker HyperPod recipes to help data scientists and developers of all skill sets to get started training and fine-tuning foundation models (FMs) in minutes with state-of-the-art performance. They can now access optimized recipes for training and fine-tuning popular publicly available FMs such as Llama 3.1 405B, Llama 3.2 90B, or Mixtral 8x22B.

At AWS re:Invent 2023, we introduced SageMaker HyperPod to reduce time to train FMs by up to 40 percent and scale across more than a thousand compute resources in parallel with preconfigured distributed training libraries. With SageMaker HyperPod, you can find the required accelerated compute resources for training, create the most optimal training plans, and run training workloads across different blocks of capacity based on the availability of compute resources.

SageMaker HyperPod recipes include a training stack tested by AWS, removing tedious work experimenting with different model configurations, eliminating weeks of iterative evaluation and testing. The recipes automate several critical steps, such as loading training datasets, applying distributed training techniques, automating checkpoints for faster recovery from faults, and managing the end-to-end training loop.

With a simple recipe change, you can seamlessly switch between GPU- or Trainium-based instances to further optimize training performance and reduce costs. You can easily run workloads in production on SageMaker HyperPod or SageMaker training jobs.

SageMaker HyperPod recipes in action
To get started, visit the SageMaker HyperPod recipes GitHub repository to browse training recipes for popular publicly available FMs.

You only need to edit straightforward recipe parameters to specify an instance type and the location of your dataset in cluster configuration, then run the recipe with a single line command to achieve state-of-art performance.

You need to edit the recipe config.yaml file to specify the model and cluster type after cloning the repository.

$ git clone --recursive https://github.com/aws/sagemaker-hyperpod-recipes.git
$ cd sagemaker-hyperpod-recipes
$ pip3 install -r requirements.txt.
$ cd ./recipes_collections
$ vim config.yaml

The recipes support SageMaker HyperPod with Slurm, SageMaker HyperPod with Amazon Elastic Kubernetes Service (Amazon EKS), and SageMaker training jobs. For example, you can set up a cluster type (Slurm orchestrator), a model name (Meta Llama 3.1 405B language model), an instance type (ml.p5.48xlarge), and your data locations, such as storing the training data, results, logs, and so on.

defaults:
- cluster: slurm # support: slurm / k8s / sm_jobs
- recipes: fine-tuning/llama/hf_llama3_405b_seq8k_gpu_qlora # name of model to be trained
debug: False # set to True to debug the launcher configuration
instance_type: ml.p5.48xlarge # or other supported cluster instances
base_results_dir: # Location(s) to store the results, checkpoints, logs etc.

You can optionally adjust model-specific training parameters in this YAML file, which outlines the optimal configuration, including the number of accelerator devices, instance type, training precision, parallelization and sharding techniques, the optimizer, and logging to monitor experiments through TensorBoard.

run:
  name: llama-405b
  results_dir: ${base_results_dir}/${.name}
  time_limit: "6-00:00:00"
restore_from_path: null
trainer:
  devices: 8
  num_nodes: 2
  accelerator: gpu
  precision: bf16
  max_steps: 50
  log_every_n_steps: 10
  ...
exp_manager:
  exp_dir: # location for TensorBoard logging
  name: helloworld 
  create_tensorboard_logger: True
  create_checkpoint_callback: True
  checkpoint_callback_params:
    ...
  auto_checkpoint: True # for automated checkpointing
use_smp: True 
distributed_backend: smddp # optimized collectives
# Start training from pretrained model
model:
  model_type: llama_v3
  train_batch_size: 4
  tensor_model_parallel_degree: 1
  expert_model_parallel_degree: 1
  # other model-specific params

To run this recipe in SageMaker HyperPod with Slurm, you must prepare the SageMaker HyperPod cluster following the cluster setup instruction.

Then, connect to the SageMaker HyperPod head node, access the Slurm controller, and copy the edited recipe. Next, you run a helper file to generate a Slurm submission script for the job that you can use for a dry run to inspect the content before starting the training job.

$ python3 main.py --config-path recipes_collection --config-name=config

After training completion, the trained model is automatically saved to your assigned data location.

To run this recipe on SageMaker HyperPod with Amazon EKS, clone the recipe from the GitHub repository, install the requirements, and edit the recipe (cluster: k8s) on your laptop. Then, create a link between your laptop and running the EKS cluster and subsequently use the HyperPod Command Line Interface (CLI) to run the recipe.

$ hyperpod start-job –recipe fine-tuning/llama/hf_llama3_405b_seq8k_gpu_qlora 
--persistent-volume-claims fsx-claim:data 
--override-parameters 
'{
  "recipes.run.name": "hf-llama3-405b-seq8k-gpu-qlora",
  "recipes.exp_manager.exp_dir": "/data/<your_exp_dir>",
  "cluster": "k8s",
  "cluster_type": "k8s",
  "container": "658645717510.dkr.ecr.<region>.amazonaws.com/smdistributed-modelparallel:2.4.1-gpu-py311-cu121",
  "recipes.model.data.train_dir": "<your_train_data_dir>",
  "recipes.model.data.val_dir": "<your_val_data_dir>",
}'

You can also run recipe on SageMaker training jobs using SageMaker Python SDK. The following example is running PyTorch training scripts on SageMaker training jobs with overriding training recipes.

...
recipe_overrides = {
    "run": {
        "results_dir": "/opt/ml/model",
    },
    "exp_manager": {
        "exp_dir": "",
        "explicit_log_dir": "/opt/ml/output/tensorboard",
        "checkpoint_dir": "/opt/ml/checkpoints",
    },   
    "model": {
        "data": {
            "train_dir": "/opt/ml/input/data/train",
            "val_dir": "/opt/ml/input/data/val",
        },
    },
}
pytorch_estimator = PyTorch(
           output_path=<output_path>,
           base_job_name=f"llama-recipe",
           role=<role>,
           instance_type="p5.48xlarge",
           training_recipe="fine-tuning/llama/hf_llama3_405b_seq8k_gpu_qlora",
           recipe_overrides=recipe_overrides,
           sagemaker_session=sagemaker_session,
           tensorboard_output_config=tensorboard_output_config,
)
...

As training progresses, the model checkpoints are stored on Amazon Simple Storage Service (Amazon S3) with the fully automated checkpointing capability, enabling faster recovery from training faults and instance restarts.

Now available
Amazon SageMaker HyperPod recipes are now available in the SageMaker HyperPod recipes GitHub repository. To learn more, visit the SageMaker HyperPod product page and the Amazon SageMaker AI Developer Guide.

Give SageMaker HyperPod recipes a try and send feedback to AWS re:Post for SageMaker or through your usual AWS Support contacts.

Channy

AWS Education Equity Initiative: Applying generative AI to educate the next wave of innovators

This post was originally published on this site

Building on the work that we and our partners have been doing for many years, Amazon is committing up to $100 million in cloud technology and technical resources to help existing, dedicated learning organizations reach more learners by creating new and innovative digital learning solutions, all as part of the AWS Education Equity Initiative.

The Work So Far
AWS and Amazon have a long-standing commitment to learning and education. Here’s a sampling of what we have already done:

AWS AI & ML Scholarship Program – This program has awarded $28 million in scholarships to approximately 6000 students.

Machine Learning University – MLU offers a free program helping community colleges and Historically Black Colleges and Universities (HBCUs) teach data management, artificial intelligence, and machine learning concepts. The program is designed to address opportunity gaps by supporting students who are historically underserved and underrepresented in technology disciplines.

Amazon Future Engineer – Since 2021, up to $46 million in scholarships has been awarded to 1150 students through this program. In the past year, more than 2.1 million students received over 17 million hours of STEM education, literacy, and career exploration courses through this and other Amazon philanthropic education programs in the United States. I was able to speak to one such session last year and it was an amazing experience:

Free Cloud Training – In late 2020 we set a goal of helping 29 million people grow their tech skills with free cloud computing training by 2025. We worked hard and met that target a year ahead of time!

There’s More To Do
Despite all of this work and progress, there’s still more to be done. The future is definitely not evenly distributed: over half a billion students cannot be reached by digital learning today.

We believe that Generative AI can amplify the good work that socially-minded edtech organizations, non-profits, and governments are already doing. Our goal is to empower them to build new and innovative digital learning systems that can amplify their work and allow them to reach a bigger audience.

With the launch of the AWS Education Equity Initiative, we want to help pave the way for the next generation of technology pioneers as they build powerful tools, train foundation models at scale, and create AI-powered teaching assistants.

We are committing up to $100 million in cloud technology and comprehensive technical advising over the next five years. The awardees will have access to the portfolio of AWS services and technical expertise so that they can build and scale learning management systems, mobile apps, chatbots, and other digital learning tools. As part of the application process, applicants will be asked to demonstrate how their proposed solution will benefit students from underserved and underrepresented communities.

As I mentioned earlier, our partners are already doing a lot of great work in this area. For example:

Code.org has already used AWS to scale their free computer science curriculum to millions of students in more than 100 countries. With this initiative, they will expand their use of Amazon Bedrock to provide an automated assessment of student projects, freeing up educator time that can be use for individual instruction and tailored learning.

Rocket Learning focuses on early childhood education in India. They will use Amazon Q in QuickSight to enhance learning outcomes for more than three million children.

I’m super excited about this initiative and look forward to seeing how it will help to create and educate the next generation of technology pioneers!

Jeff;

Solve complex problems with new scenario analysis capability in Amazon Q in QuickSight

This post was originally published on this site

Today, we announced a new capability of Amazon Q in QuickSight that helps users perform scenario analyses to find answers to complex problems quickly. This AI-assisted data analysis experience helps business users find answers to complex problems by guiding them step-by-step through in-depth data analysis—suggesting analytical approaches, automatically analyzing data, and summarizing findings with suggested actions—using natural language prompts. This new capability eliminates hours of tedious and error-prone manual work traditionally required to perform analyses using spreadsheets or other alternatives. In fact, Amazon Q in QuickSight enables business users to perform complex scenario analysis up to 10x faster than spreadsheets. This capability expands upon existing data Q&A capabilities of Amazon QuickSight so business professionals can start their analysis by simply asking a question.

How it works
Business users are often faced with complex questions that have traditionally required specialized training and days or weeks of time analyzing data in spreadsheets or other tools to address. For example, let’s say you’re a franchisee with multiple locations to manage. You might use this new capability in Amazon Q in QuickSight to ask, “How can I help our new Chicago store perform as well as the flagship store in New York?” Using an agentic approach, Amazon Q would then suggest analytical approaches needed to address the underlying business goal, automatically analyze data, and present results complete with visualizations and suggested actions. You can conduct this multistep analysis in an expansive analysis canvas, giving you the flexibility to make changes, explore multiple analysis paths simultaneously, and adapt to situations over time.

This new analysis experience is part of Amazon QuickSight meaning it can read from QuickSight dashboards which connect to sources such as Amazon Athena, Amazon Aurora, Amazon Redshift, Amazon Simple Storage Service (Amazon S3), and Amazon OpenSearch Service. Specifically, this new experience is part of Amazon Q in QuickSight, which allows it to seamlessly integrate with other generative business intelligence (BI) capabilities such as data Q&A. You can also upload either a .csv or a single-table, single-sheet .xlsx file to incorporate into your analysis.

Here’s a visual walkthrough of this new analysis experience in Amazon Q in QuickSight.

I’m planning a customer event, and I’ve received an Excel spreadsheet of all who’ve registered to attend the event. I want to learn more about the attendees, so I analyze the spreadsheet and ask a few questions. I start by describing what I want to explore.

I upload the spreadsheet to start my analysis. Firstly, I want to understand how many people have registered for the event.

To design an agenda that’s suitable for the audience, I want to understand the various roles that will be attending. I select on the + icon to add a new block for asking a question following along the thread from the previous block.

I can continue to ask more questions. However, there are suggested questions for analyzing my data even further, and I now select one of these suggested questions. I want to increase marketing efforts at companies that don’t currently have a lot of attendees in this case, companies with fewer than two attendees.

Amazon Q executes the required analysis and keeps me updated of the progress. Step 1 of the process identifies companies that have fewer than two attendees and lists them.

Step 2 gives an estimate of how many more attendees I might get from each company if marketing efforts are increased.

In Step 3 I can see the potential increase in total attendees (including the percentage increase) in line with the increase in marketing efforts.

Lastly, Step 4 goes even further to highlight companies I should prioritize for these increased marketing efforts.

To increase the potential number of attendees even more, I wanted to change the analysis to identify companies with fewer than three attendees instead of two attendees. I choose the AI sparkle icon in the upper right to launch a modal that I then use to provide more context and make specific changes to the previous result.


This change resulted in new projections, and I can choose to consider them for my marketing efforts or keep to the previous projections.


Now available
Amazon Q in QuickSight Pro users can use this new capability in preview in the following AWS Regions at launch: US East (N. Virginia) and US West (Oregon). Get started with a free 30-day trial of QuickSight today. To learn more, visit the Amazon QuickSight User Guide. You can submit your questions to AWS re:Post for Amazon QuickSight, or through your usual AWS Support contacts.

Veliswa.