Adding NIC to HP DL580 Gen9 running ESXi 5.5U3

This post was originally published on this site

Having some troubles with our HP DL580 that I was hoping I could get some suggestions for;

 

When we build our ESXi servers, we set the BIOS settings and Legacy BIOS mode via the profile templates in HP OneView.

We have just finished configuring a HP DL580 Gen9 with our standard build scripts and SPP but were asked to provide an additional, dedicated connection to provide a direct network path for patching.

 

Generally the server is built with 2 x CNE1200 NICs and 2 x LPe12000 HBA. To accommodate the client’s request, we added an additional CNE1200 NIC to the server, ran the SPP again to apply drivers and restarted the server (new total 3 x CNE1200 NICs on DL580 Gen9)

 

When the server comes back online after installing the NIC, we are issued the following error message:

1706-The Extended BIOS Data Area in Server Memory has been Overwritten – Smart Array Interrupt 13h BIOS Cannot Continue – System Halted

 

During some troubleshooting, I noticed that if I revert the server BIOS setting to UEFI mode, it will circumvent this error and it appears that ESXi 5.5U3 loads up properly and I am able to interact with the server in vCenter no problem. We are able to configure and utilize the server properly at this stage but if I try to revert the BIOS settings to Legacy Mode, it will present the 1706-error message again.

 

I was poking around based on some articles I saw online regarding similar errors others have dealt with; and I noticed that the Smart Array Storage Administrator fails to load as well – the screen gets stuck on the ‘loading drivers’ portion of the built-in application.

 

Is there a reason to be using Legacy BIOS in ESXi 5.5U3 if I am able to boot to the OS?

I read that swapping between the 2 was not supported after installation but I have been able to do so without any obvious adverse behaviour in the system

Is there a recommended process/steps I can follow for adding hardware such as NICs to an already running server configuration?

Would a full re-imaging of the server be recommended to have this new hardware function properly?

 

I can try to provide any additional, relevant information in determining the underlying cause should it be required

 

Thanks for any help you guys can offer

TA18-201A: Emotet Malware

This post was originally published on this site

Original release date: July 20, 2018

Systems Affected

Network Systems

Overview

Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.

This joint Technical Alert (TA) is the result of Multi-State Information Sharing & Analysis Center (MS-ISAC) analytic efforts, in coordination with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC).

Description

Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.

Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.

Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient; it has even been spread using the MS-ISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules.

Figure 1: Malicious email distributing Emotet

Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.

  1. NetPass.exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives.
  2. Outlook scraper is a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts.
  3. WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module.
  4. Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module.
  5. Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the infection of entire domains (servers and clients).
Figure 2: Emotet infection process

To maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and connects to a remote command and control server (C2), usually through a generated 16-letter domain name that ends in “.eu.” Once Emotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server.

Emotet artifacts are typically found in arbitrary paths located off of the AppDataLocal and AppDataRoaming directories. The artifacts usually mimic the names of known executables. Persistence is typically maintained through Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly-named files in the system root directories that are run as Windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares.

Note: it is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware.

Example Filenames and Paths:

C:Users<username>AppData LocalMicrosoftWindowsshedaudio.exe

C:Users<username>AppDataRoamingMacromediaFlash Playermacromediabinflashplayer.exe

Typical Registry Keys:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindowsCurrentVersionRun

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

System Root Directories:

C:Windows11987416.exe

C:WindowsSystem3246615275.exe

C:WindowsSystem32shedaudio.exe

C:WindowsSysWOW64f9jwqSbS.exe

Impact

Negative consequences of Emotet infection include

  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.

Solution

NCCIC and MS-ISAC recommend that organizations adhere to the following general best practices to limit the effect of Emotet and similar malspam:

  • Use Group Policy Object to set a Windows Firewall rule to restrict inbound SMB communication between client systems. If using an alternative host-based intrusion prevention system (HIPS), consider implementing custom modifications for the control of client-to-client SMB communication. At a minimum, create a Group Policy Object that restricts inbound SMB connections to clients originating from clients.
  • Use antivirus programs, with automatic updates of signatures and software, on clients and servers.
  • Apply appropriate patches and updates immediately (after appropriate testing).
  • Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
  • If your organization does not have a policy regarding suspicious emails, consider creating one and specifying that all suspicious emails should be reported to the security or IT department.
  • Mark external emails with a banner denoting it is from an external source. This will assist users in detecting spoofed emails.
  • Provide employees training on social engineering and phishing. Urge employees not to open suspicious emails, click links contained in such emails, or post sensitive information online, and to never provide usernames, passwords, or personal information in answer to any unsolicited request. Educate users to hover over a link with their mouse to verify the destination prior to clicking on the link.
  • Consider blocking file attachments that are commonly associated with malware, such as .dll and .exe, and attachments that cannot be scanned by antivirus software, such as .zip files.
  • Adhere to the principal of least privilege, ensuring that users have the minimum level of access required to accomplish their duties. Limit administrative credentials to designated administrators.
  • Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.

If a user or organization believes they may be infected, NCCIC and MS-ISAC recommend running an antivirus scan on the system and taking action to isolate the infected workstation based on the results. If multiple workstations are infected, the following actions are recommended:

  • Identify, shutdown, and take the infected machines off the network;
  • Consider temporarily taking the network offline to perform identification, prevent reinfections, and stop the spread of the malware;
  • Do not log in to infected systems using domain or shared local administrator accounts;
  • Reimage the infected machine(s);
  • After reviewing systems for Emotet indicators, move clean systems to a containment virtual local area network that is segregated from the infected network;
  • Issue password resets for both domain and local credentials;
  • Because Emotet scrapes additional credentials, consider password resets for other applications that may have had stored credentials on the compromised machine(s);
  • Identify the infection source (patient zero); and
  • Review the log files and the Outlook mailbox rules associated with the infected user account to ensure further compromises have not occurred. It is possible that the Outlook account may now have rules to auto-forward all emails to an external email address, which could result in a data breach.

Reporting

MS-ISAC is the focal point for cyber threat prevention, protection, response, and recovery for the nation’s SLTT governments. More information about this topic, as well as 24/7 cybersecurity assistance for SLTT governments, is available by phone at 866-787-4722, by email at SOC@cisecurity.org, or on MS-ISAC’s website at https://msisac.cisecurity.org/.

To report an intrusion and request resources for incident response or technical assistance, contact NCCIC by email at NCCICCustomerService@hq.dhs.gov or by phone at 888-282-0870.

References

    Revision History

    • July, 20 2018: Initial version

    This product is provided subject to this Notification and this Privacy & Use policy.

    PowerShell Core now available as a Snap package

    This post was originally published on this site

    The goal of PowerShell Core is to be the ubiquitous language for managing your assets in the hybrid cloud. That’s why we’ve worked to make it available on many operating systems, architectures, and flavors of Windows, Linux, and macOS as possible.

    Today, we’re happy to announce an addition to our support matrix: PowerShell Core is now available as a Snap package.

    What’s a Snap package?

    Snap packages are containerized applications that can be installed on many Linux distributions.

    What does this do for me?

    Snap packages have a number of benefits over traditional Linux software packages (e.g. DEB or RPM):

    • Snap packages carry all of their own dependencies, so you don’t need to worry about the specific versions of shared libraries installed on your machine
    • Snap packages can be installed without giving the publisher root access to the host
    • Snap packages are “safe to run” as they don’t interact with other applications or system files without your permission
    • Updates to Snaps happen automatically, and include the delta of changes between updates

    How do I get it?

    First, you need to make sure you’ve installed snapd.

    Then, just run:

    snap install powershell --classic

    Now you’ve got PowerShell Core installed as a Snap! Simply start pwsh from your favorite terminal, and you’re in!

    Interested in our latest preview bits?

    If you live on the bleeding edge and want to grab the latest PowerShell preview, just install powershell-preview instead of powershell:

    snap install powershell-preview --classic

    Now you can launch PowerShell Core’s latest preview as a Snap by launching pwsh-preview from your terminal.

    What about your other Linux packages?

    We will continue to support our “traditional” standalone Linux packages that ship on https://packages.microsoft.com/, and we have no plans to discontinue that support.

    However, we highly encourage you to check out the Snap package as a way to simplify your updates and reduce the permission set required for installation.

    Happy Snapping!

    Joey Aiello
    PM, PowerShell