Amazon Location – Add Maps and Location Awareness to Your Applications

This post was originally published on this site

We want to make it easier and more cost-effective for you to add maps, location awareness, and other location-based features to your web and mobile applications. Until now, doing this has been somewhat complex and expensive, and also tied you to the business and programming models of a single provider.

Introducing Amazon Location Service
Today we are making Amazon Location available in preview form and you can start using it today. Priced at a fraction of common alternatives, Amazon Location Service gives you access to maps and location-based services from multiple providers on an economical, pay-as-you-go basis.

You can use Amazon Location Service to build applications that know where they are and respond accordingly. You can display maps, validate addresses, perform geocoding (turn an address into a location), track the movement of packages and devices, and much more. You can easily set up geofences and receive notifications when tracked items enter or leave a geofenced area. You can even overlay your own data on the map while retaining full control.

You can access Amazon Location Service from the AWS Management Console, AWS Command Line Interface (CLI), or via a set of APIs. You can also use existing map libraries such as Mapbox GL and Tangram.

All About Amazon Location
Let’s take a look at the types of resources that Amazon Location Service makes available to you, and then talk about how you can use them in your applications.

MapsAmazon Location Service lets you create maps that make use of data from our partners. You can choose between maps and map styles provided by Esri and by HERE Technologies, with the potential for more maps & more styles from these and other partners in the future. After you create a map, you can retrieve a tile (at one of up to 16 zoom levels) using the GetMapTile function. You won’t do this directly, but will use Mapbox GL, Tangram, or another library instead.

Place Indexes – You can choose between indexes provided by Esri and HERE. The indexes support the SearchPlaceIndexForPosition function which returns places, such as residential addresses or points of interest (often known as POI) that are closest to the position that you supply, while also performing reverse geocoding to turn the position (a pair of coordinates) into a legible address. Indexes also support the SearchPlaceIndexForText function, which searches for addresses, businesses, and points of interest using free-form text such as an address, a name, a city, or a region.

Trackers –Trackers receive location updates from one or more devices via the BatchUpdateDevicePosition function, and can be queried for the current position (GetDevicePosition) or location history (GetDevicePositionHistory) of a device. Trackers can also be linked to Geofence Collections to implement monitoring of devices as they move in and out of geofences.

Geofence Collections – Each collection contains a list of geofences that define geographic boundaries. Here’s a geofence (created with that outlines a park near me:

Amazon Location in Action
I can use the AWS Management Console to get started with Amazon Location and then move on to the AWS Command Line Interface (CLI) or the APIs if necessary. I open the Amazon Location Service Console, and I can either click Try it! to create a set of starter resources, or I can open up the navigation on the left and create them one-by-one. I’ll go for one-by-one, and click Maps:

Then I click Create map to proceed:

I enter a Name and a Description:

Then I choose the desired map and click Create map:

The map is created and ready to be added to my application right away:

Now I am ready to embed the map in my application, and I have several options including the Amplify JavaScript SDK, the Amplify Android SDK, the Amplify iOS SDK, Tangram, and Mapbox GL (read the Developer Guide to learn more about each option).

Next, I want to track the position of devices so that I can be notified when they enter or exit a given region. I use a GeoJSON editing tool such as to create a geofence that is built from polygons, and save (download) the resulting file:

I click Create geofence collection in the left-side navigation, and in Step 1, I add my GeoJSON file, enter a Name and Description, and click Next:

Now I enter a Name and a Description for my tracker, and click Next. It will be linked to the geofence collection that I just created:

The next step is to arrange for the tracker to send events to Amazon EventBridge so that I can monitor them in CloudWatch Logs. I leave the settings as-is, and click Next to proceed:

I review all of my choices, and click Finalize to move ahead:

The resources are created, set up, and ready to go:

I can then write code or use the CLI to update the positions of my devices:

$ aws location batch-update-device-position 
   --tracker-name MyTracker1 
   --updates "DeviceId=Jeff1,Position=-122.33805,47.62748,SampleTime=2020-11-05T02:59:07+0000"

After I do this a time or two, I can retrieve the position history for the device:

$ aws location get-device-position-history 
  -tracker-name MyTracker1 --device-id Jeff1
|           GetDevicePositionHistory           |
||               DevicePositions              ||
||  DeviceId     |  Jeff1                     ||
||  ReceivedTime |  2020-11-05T02:59:17.246Z  ||
||  SampleTime   |  2020-11-05T02:59:07Z      ||
|||                 Position                 |||
|||  -122.33805                              |||
|||  47.62748                                |||
||               DevicePositions              ||
||  DeviceId     |  Jeff1                     ||
||  ReceivedTime |  2020-11-05T03:02:08.002Z  ||
||  SampleTime   |  2020-11-05T03:01:29Z      ||
|||                 Position                 |||
|||  -122.43805                              |||
|||  47.52748                                |||

I can write Amazon EventBridge rules that watch for the events, and use them to perform any desired processing. Events are published when a device enters or leaves a geofenced area, and look like this:

  "version": "0",
  "id": "7cb6afa8-cbf0-e1d9-e585-fd5169025ee0",
  "detail-type": "Location Geofence Event",
  "source": "aws.geo",
  "account": "123456789012",
  "time": "2020-11-05T02:59:17.246Z",
  "region": "us-east-1",
  "resources": [
  "detail": {
        "EventType": "ENTER",
        "GeofenceId": "LakeUnionPark",
        "DeviceId": "Jeff1",
        "SampleTime": "2020-11-05T02:59:07Z",
        "Position": [-122.33805, 47.52748]

Finally, I can create and use place indexes so that I can work with geographical objects. I’ll use the CLI for a change of pace. I create the index:

$ aws location create-place-index 
  --index-name MyIndex1 --data-source Here

Then I query it to find the addresses and points of interest near the location:

$ aws location search-place-index-for-position --index-name MyIndex1 
  --position "[-122.33805,47.62748]" --output json 
  |  jq .Results[].Place.Label
"Terry Ave N, Seattle, WA 98109, United States"
"900 Westlake Ave N, Seattle, WA 98109-3523, United States"
"851 Terry Ave N, Seattle, WA 98109-4348, United States"
"860 Terry Ave N, Seattle, WA 98109-4330, United States"
"Seattle Fireboat Duwamish, 860 Terry Ave N, Seattle, WA 98109-4330, United States"
"824 Terry Ave N, Seattle, WA 98109-4330, United States"
"9th Ave N, Seattle, WA 98109, United States"

I can also do a text-based search:

$ aws location search-place-index-for-text --index-name MyIndex1 
  --text Coffee --bias-position "[-122.33805,47.62748]" 
  --output json | jq .Results[].Place.Label
"Mohai Cafe, 860 Terry Ave N, Seattle, WA 98109, United States"
"Starbucks, 1200 Westlake Ave N, Seattle, WA 98109, United States"
"Metropolitan Deli and Cafe, 903 Dexter Ave N, Seattle, WA 98109, United States"
"Top Pot Doughnuts, 590 Terry Ave N, Seattle, WA 98109, United States"
"Caffe Umbria, 1201 Westlake Ave N, Seattle, WA 98109, United States"
"Starbucks, 515 Westlake Ave N, Seattle, WA 98109, United States"
"Cafe 815 Mercer, 815 9th Ave N, Seattle, WA 98109, United States"
"Victrola Coffee Roasters, 500 Boren Ave N, Seattle, WA 98109, United States"
"Specialty's, 520 Terry Ave N, Seattle, WA 98109, United States"

Both of the searches have other options; read the Geocoding, Reverse Geocoding, and Search to learn more.

Things to Know
Amazon Location is launching today as a preview, and you can get started with it right away. During the preview we plan to add an API for routing, and will also do our best to respond to customer feedback and feature requests as they arrive.

Pricing is based on usage, with an initial evaluation period that lasts for three months and lets you make numerous calls to the Amazon Location APIs at no charge. After the evaluation period you pay the prices listed on the Amazon Location Pricing page.

Amazon Location is available in the US East (N. Virginia), US East (Ohio), US West (Oregon), Europe (Ireland), and Asia Pacific (Tokyo) Regions.



PowerShell 7.2 Preview 2 release

This post was originally published on this site

PowerShell 7.2 Preview 2

Today we are proud to announce the second preview release of PowerShell 7.2.
This preview is still based on .NET 5 as we wait for the first preview of .NET 6 which we expect PowerShell 7.2 to be based upon.

This preview includes many changes including code cleanup, bug fixes, and a few new features.

Code cleanup

The community has made significant contributions to code cleanup
which is a focus early in a new release.
Approximately two thirds of the 120 pull requets were for code cleanup!

Thanks to all the community members involved in submitting pull requests and reviewing them!

Notable bug fixes

Although we appreciate all bug fixes from the community, there are a few I believe have a broader impact and worth mentioning.

Correct handling of Windows invalid reparse points

On Windows, reparse points are a collection of user-defined data that define specific filesystem behaviors.
For example, symbolic links, OneDrive files, and Microsoft installed applications use reparse points.
Due to a bug introduced in PowerShell 7.1, if you try to use an executable on a drive that isn’t NTFS, you’ll get an Incorrect Function error.
This can be a local USB drive or a network share, for example.

Thanks to our community maintainer Ilya Sazonov for the fix.

We expect to backport this fix to PowerShell 7.1 for the next servicing release.

Breaking changes

-PipelineVariable common parameter

The -PipelineVariaable common parameter
now correctly contains all the objects passed in from the pipeline making script cmdlets work the same as C# cmdlets instead of just the first input object.

You can see an example of the change in behavior in the original issue.

Thanks to Joel Sallow for the fix.

New features

$PSStyle automatic variable for ANSI rendering

When working in the console with a modern terminal, color and text effects can help
make text information more interesting and useful.

This experimental feature called PSAnsiRendering exposes a new $PSStyle automatic variable that can be used for two different purposes.

The first is to make it easier to author text content that contains ANSI escape codes which control
text decorations like color, bold, italics, etc…

This example simply dumps the contents of $PSStyle and shows you the members you can use and their effect on text as well as the actual ANSI escape sequence.
Note that the custom formatting for this variable includes nested types like Formatting, Foreground, and Background.

$PSStyle variable

You can use multiple ANSI escape sequences together.
In this example, I’ve set warning messages to have bold and italicized yellow text on a magenta background:

Warning message style customization

There are also FromRgb() methods available to make use of full 24-bit color if your terminal supports it:

24-bit color text

C# module authors can also leverage $PSStyle by using the PSStyle singleton class in the System.Management.Automation namespace:

string text = $"{PSStyle.Instance.Reverse}{PSStyle.Instance.Foreground.Green}PowerShell{PSStyle.Instance.Foreground.Yellow} Rocks!{PSStyle.Instance.Reset}";

You can control how PowerShell outputs strings that contain ANSI escape sequences by setting $PSStyle.OutputRendering:

  • Automatic
    This is the default and currently will output the text as-is whether it is to the host or through the pipeline if the
    terminal supports ANSI escape sequences (otherwise the output will be plaintext). This is similar behavior to what you
    would get on Linux.
  • Ansi
    This value will output the text as-is whether it is to the host or through the pipeline.
  • PlainText
    This value will remove ANSI escape sequences from any text output whether it is to the host or through the pipeline.
  • Host
    This value will output the text as-is if sent to the host if ANSI escape sequences are supported, but will output plaintext
    if the output is sent through the pipeline or redirected. This is similar behavior to what you would get on macOS.

As this is an experimental feature, we encourage feedback on this before we make a decision to take it out of experimental.
See the original issue for additional details, but open new issues if you have any problems or
suggestions on how to improve this feature.

We very much appreciate on going feedback on our preview releases so we can make adjustments before the release is finalized.
Please participate in on going discussions or create new issues in our repo.

Thanks again to the PowerShell community and all the amazing contributors!

Steve Lee
Pricipal Software Engineer Manager
PowerShell Team

The post PowerShell 7.2 Preview 2 release appeared first on PowerShell.

New –  FreeRTOS Long Term Support to Provide Years of Feature Stability

This post was originally published on this site

Today, I’m particularly happy to announce FreeRTOS Long Term Support (LTS). FreeRTOS is an open source, real-time operating system for microcontrollers that makes small, low-power edge devices easy to program, deploy, secure, connect, and manage. LTS releases offer a more stable foundation than standard releases as manufacturers deploy and later update devices in the field. As we have planned, LTS is now included in the FreeRTOS kernel and a set of FreeRTOS libraries needed for embedded and IoT applications, and for securely connecting microcontroller-based (MCU) devices to the cloud.

Embedded developers at original equipment manufacturers (OEMs) and MCU vendors using FreeRTOS to build long-lived applications on IoT devices now get the predictability and feature stability of an LTS release without compromising access to critical security updates. FreeRTOS 202012.00 LTS release applies to the FreeRTOS kernel and IoT libraries — FreeRTOS+TCP, coreMQTT, coreHTTP, corePKCS11, coreJSON, and AWS IoT Device Shadow.

We will provide security updates and critical bug fixes for all these libraries until December 31, 2022.

Benefits of FreeRTOS LTS
Embedded developers at OEMs who want to use FreeRTOS libraries for their long-lived applications want to benefit from security updates and bug fixes in the latest FreeRTOS mainline releases. Mainline releases can introduce both new features and critical fixes, which may increase time and effort for users to include only fixes.

An LTS release provides years of feature stability of included libraries. With an LTS release, any update will not change public APIs, file structure, or build processes that could require changes to your application. Security updates and critical bug fixes will be backported at least until Dec 31, 2022. LTS releases contain updates that only address critical issues including security vulnerabilities. Therefore, the integration of LTS releases is less disruptive to customers’ development and integration efforts as they approach and move into production. For MCU vendors, this means reduced effort in integrating a stable code base and faster time to market with vendors’ latest libraries.

Available Now
The FreeRTOS 202012.00 LTS release is available now to download. To learn more, visit FreeRTOS LTS and the documentation. Please send us feedback on the Github repository and the forum of FreeRTOS.


Announcing AWS IoT Greengrass 2.0 – With an Open Source Edge Runtime and New Developer Capabilities

This post was originally published on this site

I am happy to announce AWS IoT Greengrass 2.0, a new version of AWS IoT Greengrass that makes it easy for device builders to build, deploy, and manage intelligent device software. AWS IoT Greengrass 2.0 provides an open source edge runtime, a rich set of pre-built software components, tools for local software development, and new features for managing software on large fleets of devices.

AWS IoT Greengrass 2.0 edge runtime is now open source under an Apache 2.0 license, and available on Github. Access to the source code allows you to more easily integrate your applications, troubleshoot problems, and build more reliable and performant applications that use AWS IoT Greengrass.

You can add or remove pre-built software components based on your IoT use case and your device’s CPU and memory resources. For example, you can choose to include pre-built AWS IoT Greengrass components such as stream manager only when you need to process data streams with your application, or machine learning components only when you want to perform machine learning inference locally on your devices.

The AWS IoT Greengrass IoT Greengrass 2.0 includes a new command-line interface (CLI) that allows you to locally develop and debug applications on your device. In addition, there is a new local debug console that helps you visually debug applications on your device. With these new capabilities, you can rapidly develop and debug code on a test device before using the cloud to deploy to your production devices.

AWS IoT Greengrass 2.0 is also integrated with AWS IoT thing groups, enabling you to easily organize your devices in groups and manage application deployments across your devices with features to control rollout rates, timeouts, and rollbacks.

AWS IoT Greengrass 2.0 – Getting Started
Device builders can use AWS IoT Greengrass 2.0 by going to the AWS IoT Greengrass console where you can find a download and install command that you run on your device. Once the installer is downloaded to the device, you can use it to install Greengrass software with all essential features, register the device as an AWS IoT Thing, and create a simple “hello world” software component in less than 10 minutes.

To get started in the AWS IoT Greengrass console, you first register a test device by clicking Set up core device. You assign the name and group of your core device. To deploy to only the core device, select No group. In the next step, install the AWS IoT Greengrass Core software in your device.

When the installer completes, you can find your device in the list of AWS IoT Greengrass Core devices on the Core devices page.

AWS IoT Greengrass components enable you to develop and deploy software to your AWS IoT Greengrass Core devices. You can write your application functionality and bundle it as a private component for deployment. AWS IoT Greengrass also provides public components, which provide pre-built software for common use cases that you can deploy to your devices as you develop your device software. When you finish developing the software for your component, you can register it with AWS IoT Greengrass. Then, you can deploy and run the component on your AWS IoT Greengrass Core devices.

To create a component, click the Create component button on the Components page. You can use a recipe or import an AWS Lambda function. The component recipe is a YAML or JSON file that defines the component’s details, dependencies, compatibility, and lifecycle. To learn about the specifications, visit the recipe reference guide.

Here is an example of a YAML recipe.

When you finish developing your component, you can add it to a deployment configuration to deploy to one or more core devices. To create a new deployment or configure the components to deploy to core devices, click the Create button on the Deployments page. You can deploy to a core device or a thing group as a target, and select the components to deploy. The deployment includes the dependencies for each component that you select.

You can edit the version and parameters of selected components and advanced settings such as the rollout configuration, which defines the rate at which the configuration deploys to the target devices; timeout configuration, which defines the duration that each device has to apply the deployment; or cancel configuration, which defines when to automatically stop the deployment.

Moving to AWS IoT Greengrass 2.0
Existing devices running AWS IoT Greengrass 1.x will continue to run without any changes. If you want to take advantage of new AWS IoT Greengrass 2.0 features, you will need to move your existing AWS IoT Greengrass 1.x devices and workloads to AWS IoT Greengrass 2.0. To learn how to do this, visit the migration guide.

After you move your 1.x applications over, you can start adding components to your applications using new version 2 features, while leaving your version 1 code as-is until you decide to update them.

AWS IoT Greengrass 2.0 Partners
At launch, industry-leading partners NVIDIA and NXP have qualified a number of their devices for AWS IoT Greengrass 2.0:

See all partner device listings in the AWS Partner Device Catalog. To learn about getting your device qualified, visit the AWS Device Qualification Program.

Available Now
AWS IoT Greengrass 2.0 is available today. Please see the AWS Region table for all the regions where AWS IoT Greengrass is available. For more information, see the developer guide.

Starting today, to help you evaluate, test, and develop with this new release of AWS IoT Greengrass, the first 1,000 devices in your account will not incur any AWS IoT Greengrass charges until December 31, 2021. For pricing information, check out the AWS IoT Greengrass pricing page.

Give it a try, and please send us feedback through your usual AWS Support contacts or the AWS forum for AWS IoT Greengrass.

Learn all the details about AWS IoT Greengrass 2.0 and get started with the new version today.


New – AWS IoT Core for LoRaWAN to Connect, Manage, and Secure LoRaWAN Devices at Scale

This post was originally published on this site

Today, I am happy to announce AWS IoT Core for LoRaWAN, a new fully-managed feature that allows AWS IoT Core customers to connect and manage wireless devices that use low-power long-range wide area network (LoRaWAN) connectivity with the AWS Cloud.

Using AWS IoT Core for LoRaWAN, customers can now set up a private LoRaWAN network by connecting their own LoRaWAN devices and gateways to the AWS Cloud – without developing or operating a LoRaWAN Network Server (LNS) by themselves. The LNS is required to manage LoRaWAN devices and gateways’ connection to the cloud; gateways serve as a bridge and carry device data to and from the LNS, usually over Wi-Fi or Ethernet.

This allows customers to eliminate the undifferentiated work and operational burden of managing an LNS, and enables them to easily and quickly connect and secure LoRaWAN device fleets at scale.

Combined with the long range and deep in-building coverage provided by LoRa technology, AWS IoT Core now enables customers to accelerate IoT application development using AWS services and acting on the data generated easily from connected LoRaWAN devices.

Customers – mostly enterprises – need to develop IoT applications using devices that transmit data over long range (1-3 miles of urban coverage or up to 10 miles for line-of-sight) or through the walls and floors of buildings, for example for real-time asset tracking at airports, remote temperature monitoring in buildings, or predictive maintenance of industrial equipment. Such applications also require devices to be optimized for low-power consumption, so that batteries can last several years without replacement, thus making the implementation cost-effective. Given the extended coverage of LoRaWAN connectivity, it is attractive to enterprises for these use cases, but setting up LoRaWAN connectivity in a privately managed site requires customers to operate an LNS.

With AWS IoT Core for LoRaWAN, you can connect LoRaWAN devices and gateways to the cloud with a few simple steps in the AWS IoT Management Console, thus speeding up the network setup time, and connect off-the-shelf LoRaWAN devices, without any requirement to modify embedded software, for a plug and play experience.

AWS IoT Core for LoRaWAN – Getting Started
Getting started with a LoRaWAN network setup is easy. You can find AWS IoT Core for LoRaWAN qualified gateways and developer kits from the AWS Partner Device Catalog. AWS qualified gateways and developer kits are pre-tested and come with a step by step guide from the manufacturer on how to connect it with AWS IoT Core for LoRaWAN.

With AWS IoT Core console, you can register the gateways by providing a gateway’s unique identifier (provided by the gateway vendor) and selecting LoRa frequency band. For registering devices, you can input device credentials (identifiers and security keys provided by the device vendor) on the console.

Each device has a Device Profile that specifies the device capabilities and boot parameters the LNS requires to set up LoRaWAN radio access service. Using the console, you can select a pre-populated Device Profile or create a new one.

A destination automatically routes messages from LoRaWAN devices to AWS IoT Rules Engine. Once a destination is created, you can use it to map multiple LoRaWAN devices to the same IoT rule. You can write rules using simple SQL queries, to transform and act on the device data, like converting data from proprietary binary to JSON format, raising alerts, or routing it to other AWS services like Amazon Simple Storage Service (S3). From the console, you can also query metrics for connected devices and gateways to troubleshoot connectivity issues.

Available Now
AWS IoT Core for LoRaWAN is available today in US East (N. Virginia) and Europe (Ireland) Regions. With pay-as-you-go pricing and no monthly commitments, you can connect and scale LoRaWAN device fleets reliably, and build applications with AWS services quickly and efficiently. For more information, see the pricing page.

To get started, buy an AWS qualified LoRaWAN developer kit and and launch Getting Started experience in the AWS Management Console. To learn more, visit the developer guide. Give this a try, and please send us feedback either through your usual AWS Support contacts or the AWS forum for AWS IoT.

Learn all the details about AWS IoT Core for LoRaWAN and get started with the new feature today.


Announcing Amazon Managed Service for Grafana (in Preview)

This post was originally published on this site

Today, in partnership with Grafana Labs, we are excited to announce in preview, Amazon Managed Service for Grafana (AMG), a fully managed service that makes it easy to create on-demand, scalable, and secure Grafana workspaces to visualize and analyze your data from multiple sources.

Grafana is one of the most popular open source technologies used to create observability dashboards for your applications. It has a pluggable data source model and support for different kinds of time series databases and cloud monitoring vendors. Grafana centralizes your application data from multiple open-source, cloud, and third-party data sources.

Many of our customers love Grafana, but don’t want the burden of self-hosting and managing it. AMG manages the provisioning, setup, scaling, version upgrades and security patching of Grafana, eliminating the need for customers to do it themselves. AMG automatically scales to support thousands of users with high availability.

With AMG, you will get a fully managed and secure data visualization service where you can query, correlate, and visualize operational metrics, logs and traces across multiple data sources including cloud services such as AWS, Google, and Microsoft. AMG is integrated with AWS data sources, such as Amazon CloudWatch, Amazon Elasticsearch Service, AWS X-Ray, AWS IoT SiteWise, Amazon Timestream, and others to collect operational data in a simple way. Additionally, AMG also provides plug-ins to connect to popular third-party data sources, such as Datadog, Splunk, ServiceNow, and New Relic by upgrading to Grafana Enterprise directly from the AWS Console.

Screenshot for creating and configuring a managed Grafana workspace

AMG integrates directly into your AWS Organizations. You can define a AMG workspace in one AWS account that allows you to discover and access datasources in all your accounts and regions across your AWS organization. Creating dashboards in Grafana is easy as all these different datasources are discoverable in one place.

Customers really like Grafana for the ease of creating dashboards, it comes with many built-in dashboards to use when you add a new data source, or you can take advantage of its broad community of pre-built dashboards. For example, you can see in the following image a really nice dashboard that AMG created for me from one of my AWS Lambda function.

Screenshot of an automatic dashboard for Lambda function

One of my favorite things from AMG is the built-in security features. You can easily enable single sign-on using AWS Single Sign-On, restrict access to data sources and dashboards to the right users, and access audit logs via AWS CloudTrail for your hosted Grafana workspace. With AWS Single Sign-On you can leverage your existing corporate directories to enforce authentication and authorization permissions.

Another powerful feature that AMG has is support for Alerts. AMG integrates with Amazon Simple Notification Service (SNS) so customers can send Grafana alerts to SNS as a notification destination. It also has support for four other alert destinations including PagerDuty, Slack, VictorOps and OpsGenie.

There are no up-front investments required to use AMG, and you only pay a monthly active user license fee. This means that you can provision many users to access to your Grafana workspace, but will only be billed for active users that log in and use the workspace that month. Users granted access but that do not log in, will not be billed that month. You can also upgrade to Grafana Enterprise using AWS Marketplace, to get access to enterprise plugins, support, and training content directly from Grafana Labs.


This service is available in US East (N. Virginia) and Europe (Ireland) regions. To learn more visit the AMG service page, and be sure to join our re:Invent session tomorrow 12/16 from 8:00am – 8:30am PST for a demo!

AMG is now available in preview; to get access to this service fill out the registration form here.


AA20-345A: Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data

This post was originally published on this site

Original release date: December 10, 2020<br/><h3>Summary</h3><p>This Joint Cybersecurity Advisory was coauthored by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).</p>

<p>The FBI, CISA, and MS-ISAC assess malicious cyber actors are targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance learning services. Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year. These issues will be particularly challenging for K-12 schools that face resource limitations; therefore, educational leadership, information technology personnel, and security personnel will need to balance this risk when determining their cybersecurity investments.</p>

<p><a href="">Click here</a> for a PDF version of this report.</p>
<h3>Technical Details</h3><p>As of December 2020, the FBI, CISA, and MS-ISAC continue to receive reports from K-12 educational institutions about the disruption of distance learning efforts by cyber actors.</p>


<p>The FBI, CISA, and MS-ISAC have received numerous reports of ransomware attacks against K-12 educational institutions. In these attacks, malicious cyber actors target school computer systems, slowing access, and—in some instances—rendering the systems inaccessible for basic functions, including distance learning. Adopting tactics previously leveraged against business and industry, ransomware actors have also stolen—and threatened to leak—confidential student data to the public unless institutions pay a ransom.</p>

<p>According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July.</p>

<p>The five most common ransomware variants identified in incidents targeting K-12 schools between January and September 2020—based on open source information as well as victim and third-party incident reports made to MS-ISAC—are Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil.</p>


<p>Figure 1 identifies the top 10 malware strains that have affected state, local, tribal, and territorial (SLTT) educational institutions over the past year (up to and including September 2020). Note: These malware variants are purely opportunistic as they not only affect educational institutions but other organizations as well.</p>

<p>ZeuS and Shlayer are among the most prevalent malware affecting K-12 schools.</p>

<li>ZeuS is a Trojan with several variants that targets Microsoft Windows operating systems. Cyber actors use ZeuS to infect target machines and send stolen information to command-and-control servers.</li>
<li>Shlayer is a Trojan downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malicious advertising posing as a fake Adobe Flash updater. <strong>Note: </strong>Shlayer is the only malware of the top 10 that targets MacOS; the other 9 affect Microsoft Windows operating systems</li>

<p class="text-align-center"><img alt="" data-entity-type="file" data-entity-uuid="ee5aa08d-fe73-44e6-8f7d-4b5e6ac08320" height="275" src="" width="614" /></p>

<p class="text-align-center"><cite>Figure 1: Top 10 malware affecting SLTT educational institutions</cite></p>

<h4><cite>&nbsp;</cite><br />
Distributed Denial-of-Service Attacks</h4>

<p>Cyber actors are causing disruptions to K-12 educational institutions—including third-party services supporting distance learning—with distributed denial-of-service (DDoS) attacks,&nbsp; which temporarily limit or prevent users from conducting daily operations. The availability of DDoS-for-hire services provides opportunities for any motivated malicious cyber actor to conduct disruptive attacks regardless of experience level. <strong>Note:</strong> DDoS attacks overwhelm servers with a high level of internet traffic originating from many different sources, making it impossible to mitigate at a single source.</p>

<h4>Video Conference Disruptions</h4>

<p>Numerous reports received by the FBI, CISA, and MS-ISAC since March 2020 indicate uninvited users have disrupted live video-conferenced classroom sessions. These disruptions have included verbally harassing students and teachers, displaying pornography and/or violent images, and doxing meeting attendees (<strong>Note: </strong>doxing is the act of compiling or publishing personal information about an individual on the internet, typically with malicious intent). To enter classroom sessions, uninvited users have been observed:</p>

<li>Using student names to trick hosts into accepting them into class sessions, and</li>
<li>Accessing meetings from either publicly available links or links shared with outside users (e.g., students sharing links and/or passwords with friends).</li>

<p>Video conference sessions without proper control measures risk disruption or compromise of classroom conversations and exposure of sensitive information.</p>

<h3>Additional Risks and Vulnerabilities</h3>

<p>In addition to the recent reporting of distance learning disruptions received by the FBI, CISA, and MS-ISAC, malicious cyber actors are expected to continue seeking opportunities to exploit the evolving remote learning environment.</p>

<h4>Social Engineering</h4>

<p>Cyber actors could apply social engineering methods against students, parents, faculty, IT personnel, or other individuals involved in distance learning. Tactics, such as phishing, trick victims into revealing personal information (e.g., password or bank account information) or performing a task (e.g., clicking on a link). In such scenarios, a victim could receive what appears to be legitimate email that:</p>

<li>Requests personally identifiable information (PII) (e.g., full name, birthdate, student ID),</li>
<li>Directs the user to confirm a password or personal identification number (PIN),</li>
<li>Instructs the recipient to visit a website that is compromised by the cyber actor, or</li>
<li>Contains an attachment with malware.</li>

<p>Cyber actors also register web domains that are similar to legitimate websites in an attempt to capture individuals who mistype URLs or click on similar looking URLs. These types of attacks are referred to as domain spoofing or homograph attacks. For example, a user wanting to access <code></code> could mistakenly click on <code></code> (changed “<code>o</code>” to an “<code>e</code>”) or <code></code> (changed letter “<code>l</code>” to a number “1”) (<strong>Note:</strong> this is a fictitious example to demonstrate how a user can mistakenly click and access a website without noticing subtle changes in website URLs). Victims believe they are on a legitimate website when, in reality, they are visiting a site controlled by a cyber actor.</p>

<h4>Technology Vulnerabilities and Student Data</h4>

<p>Whether as collateral for ransomware attacks or to sell on the dark web, cyber actors may seek to exploit the data-rich environment of student information in schools and education technology (edtech) services. The need for schools to rapidly transition to distance learning likely contributed to cybersecurity gaps, leaving schools vulnerable to attack. In addition, educational institutions that have outsourced their distance learning tools may have lost visibility into data security measures. Cyber actors could view the increased reliance on—and sharp usership growth in—these distance learning services and student data as lucrative targets.</p>

<h4>Open/Exposed Ports</h4>

<p>The FBI, CISA, and MS-ISAC frequently see malicious cyber actors exploiting exposed Remote Desktop Protocol (RDP) services to gain initial access to a network and, often, to manually deploy ransomware. For example, cyber actors will attack ports 445 (Server Message Block [SMB]) and 3389 (RDP) to gain network access. They are then positioned to move laterally throughout a network (often using SMB), escalate privileges, access and exfiltrate sensitive information, harvest credentials, or deploy a wide variety of malware. This popular attack vector allows cyber actors to maintain a low profile, as they are using a legitimate network service that provides them with the same functionality as any other remote user.</p>

<h4>End-of-Life Software</h4>

<p>End-of-Life (EOL) software is regularly exploited by cyber actors—often to gain initial access, deface websites, or further their reach in a network. Once a product reaches EOL, customers no longer receive security updates, technical support, or bug fixes. Unpatched and vulnerable servers are likely to be exploited by cyber actors, hindering an organization’s operational capacity.</p>
<h3>Mitigations</h3><h4>Plans and Policies</h4>

<p>The FBI and CISA encourage educational providers to maintain business continuity plans—the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions. Without planning, provision, and implementation of continuity principles, institutions may be unable to continue teaching and administrative operations. Evaluating continuity and capability will help identify potential operational gaps. Through identifying and addressing these gaps, institutions can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. The FBI and CISA suggest K-12 educational institutions review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by cyber actors.</p>

<h4>Network Best Practices</h4>

<li>Patch operating systems, software, and firmware as soon as manufacturers release updates.</li>
<li>Check configurations for every operating system version for educational institution-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.</li>
<li>Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.</li>
<li>Use multi-factor authentication where possible.</li>
<li>Disable unused remote access/RDP ports and monitor remote access/RDP logs.</li>
<li>Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.</li>
<li>Audit user accounts with administrative privileges and configure access controls with least privilege in mind.</li>
<li>Audit logs to ensure new accounts are legitimate.</li>
<li>Scan for open or listening ports and mediate those that are not needed.</li>
<li>Identify critical assets such as student database servers and distance learning infrastructure; create backups of these systems and house the backups offline from the network.</li>
<li>Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.</li>
<li>Set antivirus and anti-malware solutions to automatically update; conduct regular scans.</li>

<h4>User Awareness Best Practices</h4>

<li>Focus on awareness and training. Because end users are targeted, make employees and students aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.</li>
<li>Ensure employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.</li>
<li>Monitor privacy settings and information available on social networking sites.</li>

<h4>Ransomware Best Practices</h4>

<p>The FBI and CISA do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. However, regardless of whether your organization decided to pay the ransom, the FBI urges you to report ransomware incidents to your local FBI field office. Doing so provides the FBI with the critical information they need to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law.</p>

<p>In addition to implementing the above network best practices, the FBI and CISA also recommend the following:</p>

<li>Regularly back up data, air gap, and password protect backup copies offline.</li>
<li>Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.</li>

<h4>Denial-of-Service Best Practices</h4>

<li>Consider enrolling in a denial-of-service mitigation service that detects abnormal traffic flows and redirects traffic away from your network.</li>
<li>Create a partnership with your local internet service provider (ISP) prior to an event and work with your ISP to control network traffic attacking your network during an event.</li>
<li>Configure network firewalls to block unauthorized IP addresses and disable port forwarding.</li>

<h4>Video-Conferencing Best Practices</h4>

<li>Ensure participants use the most updated version of remote access/meeting applications.</li>
<li>Require passwords for session access.</li>
<li>Encourage students to avoid sharing passwords or meeting codes.</li>
<li>Establish a vetting process to identify participants as they arrive, such as a waiting room.</li>
<li>Establish policies to require participants to sign in using true names rather than aliases.</li>
<li>Ensure only the host controls screensharing privileges.</li>
<li>Implement a policy to prevent participants from entering rooms prior to host arrival and to prevent the host from exiting prior to the departure of all participants.</li>

<h4>Edtech Implementation Considerations</h4>

<li>When partnering with third-party and edtech services to support distance learning, educational institutions should consider the following:</li>
<li>The service provider’s cybersecurity policies and response plan in the event of a breach and their remediation practices:
<li>How did the service provider resolve past cyber incidents? How did their cybersecurity practices change after these incidents?</li>
<li>The provider’s data security practices for their products and services (e.g., data encryption in transit and at rest, security audits, security training of staff, audit logs);</li>
<li>The provider’s data maintenance and storage practices (e.g., use of company servers, cloud storage, or third-party services);</li>
<li>Types of student data the provider collects and tracks (e.g., PII, academic, disciplinary, medical, biometric, IP addresses);</li>
<li>Entities to whom the provider will grant access to the student data (e.g., vendors);</li>
<li>How the provider will use student data (e.g., will they sell it to—or share it with—third parties for service enhancement, new product development, studies, marketing/advertising?);</li>
<li>The provider’s de-identification practices for student data; and</li>
<li>The provider’s policies on data retention and deletion.</li>

<h4>Malware Defense</h4>

<p>Table 1 identifies CISA-created Snort signatures, which have been successfully used to detect and defend against related attacks, for the malware variants listed below. <strong>Note:</strong> the listing is not fully comprehensive and should not be used at the exclusion of other detection methods.</p>

<p class="text-align-center"><em>Table 1: Malware signatures</em></p>

<table border="1" cellpadding="1" cellspacing="1" class="general-table" style="width: 881.46px; height: 312px; margin-right: auto; margin-left: auto;">
<th scope="col" style="width: 198px;"><strong>Malware</strong></th>
<th scope="col" style="width: 356px;">Signature</th>
<td scope="col" style="width: 198px; text-align: left;"><strong>NanoCore</strong></td>
<td scope="col" style="width: 356px; text-align: left;"><code>alert tcp any any -&gt; any $HTTP_PORTS (msg:"NANOCORE:HTTP GET URI contains 'FAD00979338'"; sid:00000000; rev:1; flow:established,to_server; content:"GET"; http_method; content:"getPluginName.php?PluginID=FAD00979338"; fast_pattern; http_uri; classtype:http-uri; metadata:service http;)&nbsp;</code></td>
<td scope="col" style="width: 198px; text-align: left;">
<td scope="col" style="width: 356px; text-align: left;"><code>alert tcp any any -&gt; any $HTTP_PORTS (msg:"HTTP Client Header contains 'host|3a 20|'"; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,&lt;unique_ID&gt;.tagged; content:"host|3a 20||0d 0a|"; http_header; fast_pattern:only; flowbits:set,&lt;unique_ID&gt;.tagged; tag:session,10,packets; classtype:http-header; metadata:service http;)&nbsp;</code></td>
<td scope="col" style="width: 198px; text-align: left;"><strong>Kovter</strong></td>
<td scope="col" style="width: 356px; text-align: left;"><code>alert tcp any any -&gt; any $HTTP_PORTS (msg:"Kovter:HTTP URI POST to CnC Server"; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,&lt;unique_ID&gt;.tagged; content:"POST / HTTP/1.1"; depth:15; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; depth:47; fast_pattern; content:"User-Agent|3a 20|Mozilla/"; http_header; content:!"LOADCURRENCY"; nocase; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; nocase; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; pcre:"/User-Agentx3a[^rn]+rnHostx3ax20(?:d{1,3}.){3}d{1,3}rnContent-Lengthx3ax20[1-5][0-9]{2,3}rn(?:Cache-Control|Pragma)x3a[^rn]+rn(?:rn)?$/H"; flowbits:set,&lt;unique_ID&gt;.tagged; tag:session,10,packets; classtype:nonstd-tcp; metadata:service http;)</code></td>
<td scope="col" style="width: 198px; text-align: left;"><strong>Dridex</strong></td>
<td scope="col" style="width: 356px; text-align: left;">
<p><code>alert tcp any any -&gt; any $HTTP_PORTS (msg:"HTTP URI GET contains 'invoice_########.doc' (DRIDEX)"; sid:00000000; rev:1; flow:established,to_server; content:"invoice_"; http_uri; fast_pattern:only; content:".doc"; nocase; distance:8; within:4; content:"GET"; nocase; http_method; classtype:http-uri; metadata:service http;)<br />
alert tcp any any -&gt; any $HTTP_PORTS (msg:"HTTP Client Header contains 'Host|3a 20|tanevengledrep ru' (DRIDEX)"; sid:00000000; rev:1; flow:established,to_server; flowbits:isnotset,&lt;unique_ID&gt;.tagged; content:"Host|3a 20|tanevengledrep|2e|ru|0d 0a|"; http_header; fast_pattern:only; flowbits:set,&lt;unique_ID&gt;.tagged; tag:session,10,packets; classtype:http-header; metadata:service http;)</code></p>
<h3>Contact Information</h3><p>To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href=""></a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting organization; and a designated point of contact.</p>

<p>To request incident response resources or technical assistance related to these threats, contact CISA at <a href=""></a>.</p>


<p>MS-ISAC membership is open to employees or representatives from all public K-12 education entities in the United States. The MS-ISAC provides multiple cybersecurity services and benefits to help K-12 education entities increase their cybersecurity posture. To join, visit <a href=""></a>.</p>

<li><a href="">CISA Telework Guidance and Resources</a></li>
<li><a href="">CISA Cybersecurity Recommendations and Tips for Schools Using Video Conferencing</a></li>
<li><a href="">CISA Ransomware Publications</a></li>
<li><a href="">CISA Emergency Services Sector Continuity Planning Suite</a></li>
<li><a href="">CISA-MS-ISAC Joint Ransomware Guide</a></li>
<li><a href="">CISA Tip: Avoiding Social Engineering and Phishing Attacks</a></li>
<li><a href="">CISA Tip: Understanding Patches</a></li>
<li><a href="">CISA and CYBER.ORG “Cyber Safety Video Series” for K-12 students and educators</a></li>
<li><a href="">FBI PSA: “High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations</a></li>

<p><strong>Note: </strong>contact your local FBI field office (<a href=""></a>) for additional FBI products on ransomware, edtech, and cybersecurity for educational institutions.</p>
<ul> <li>Initial Version: December 10, 2020</li> </ul>
<hr />
<div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p class="privacy-and-terms">This product is provided subject to this <a href="">Notification</a> and this <a href="">Privacy &amp; Use</a> policy.</p>


Incident Report – PowerShell Gallery Downtime October 30, 2020

This post was originally published on this site


The PowerShell gallery experienced downtime on October 30th 2020. This report will give context as to what caused the downtime, what actions were taken to mitigate the issue, and what steps we are taking to improve the PowerShell gallery experience moving forward.

Downtime Impact

The downtime was declared at 2020-10-30 03:29 PDT, and was mitigated about 12 hours later at 2020-10-30 15:39 PDT. During this time packages were not available from the gallery, and the web interface was not accessible.

Root Cause of the Downtime

The downtime was a result of an attempt to fix ongoing statistics errors with the gallery. For roughly 3 weeks the PowerShell gallery was experiencing many server errors (roughly 100-200 per minute) due to a key that had reached a max int value (total downloads reached over 2 billion) and was causing persistent int overflow errors on the gallery. This prevented new entries from being added to the ‘PackageStatistics’ table (required for the intermediary processing of statistics). The int overflow first occurred on 9/18/2020.

After an attempt to perform database migrations failed due to the persistent errors manual updates were made to the database to fix inflated package statistics numbers.
These changes triggered a series of deadlock and timeout errors which consumed all our available cloud resources.
This caused a spike in DTU/CPU utilization for the database which inversely correlated with the availability for the service. The availability for the gallery was so low that it was non-functional and declared down.

Mitigating the Downtime

The first mitigation step was to restore the gallery database (DB) to a previous timestamp. It was believed that an error in the attempted fix of gallery statistics caused the DB to get into a bad state and thus restoring the DB reverted those changes. This initial error was likely due to a trigger on the database that we did not account for. Unfortunately, reverting the DB caused additional issues. Checking the PowerShell gallery backend logs, we saw that the service had trouble connecting to the DB with an error that user credentials were wrong. This indicated that the user had been orphaned by the restore so we re-created the user in the DB. After this step, checking the PowerShell gallery backend logs again, the service had additional trouble connecting to the DB with an error that login was failing. We determined that this error was caused by the DB restore dropping the DB from the gallery’s failover group. The next mitigation step was to re-add the DB to the gallery’s failover group. The final mitigation step was to restart the cloud services so they could re-connect to the failover group. At this point the gallery started working again. We validated these fixes with customers, as well as with our own testing and continued to closely monitor the DTU/CPU utilization and service availability.

Statistics Errors

The gallery has had ongoing issues with the package statistics since August 2020.

These errors came from the gallery reaching a scale (more than 2 billion installations) that was not supported by the design of the statistics pipeline. The impact of this has been both incorrect and unavailable package statistics. The package statistics from 2020-09-18 through 2020-10-07 were never recorded, which meant we were unable to recover statistics from this period.

Restoring Statistics

We restored statistics in two ways, first we repaired statistics for individual packages (surfaced on a package’s page), and then we repaired aggregated statistics (surfaced on the gallery homepage and statistics page).

In ordered to repair package statistics we updated values in our main database and within the code base itself, that referenced a key for package statistics from an integer to a bigint/long. There was some pending data that was dropped when the int overflow error first appeared. We retrieved specific ‘lost’ data from a restored database, but were unfortunately unable to recover some data (mentioned in Statistics Errors).

To repair the aggregated statistics, we then made parallel changes to our data warehouse.

Our repair items are focused on 3 categories: detect, diagnose, and fix. By focusing on these three areas, we hope to not only improve the overall performance of the gallery but also, more quickly find and mitigate issues as they arise.

  • Detect:
    • Add more notifications to the production database
    • Create alerts for when critical metrics are reached in the DB
    • Improve post-deployment validation so that we can quickly roll back undesirable changes
  • Diagnose:
    • Send database logs to a central location outside of the service so that logs are more easily available
  • Fix:
    • Improve the deployment process for gallery cloud services
    • Better document (internal) procedures for recovery and communication during an outage


We are also in the process of designing architectural changes to the PowerShell gallery, to ensure this is a reliable, performant, and supportable service moving forward.

Expectations going forward

In conjunction with these repairs, we are working to set and monitor Service Level Objectives (SLOs). Look forward to a future post detailing these expectations and how gallery users can track our progress against these objectives.

Reporting Issues

If you notice any issues with the PowerShell gallery please open an issue in our GitHub repository.

If you are a package owner and have an issue with your package please use our support alias:

We continue to update the status of the PowerShell gallery at:


PowerShell Team


The post Incident Report – PowerShell Gallery Downtime October 30, 2020 appeared first on PowerShell.

AA20-336A: Advanced Persistent Threat Actors Targeting U.S. Think Tanks

This post was originally published on this site

Original release date: December 1, 2020<br/><h3>Summary</h3><p class="tip-intro" style="font-size: 15px;"><em>This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK®) framework. See the <a href="">ATT&amp;CK for Enterprise</a> for all referenced threat actor tactics and techniques.</em></p>

<p>The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks. This malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy.[<a href="">1</a>] The following guidance may assist U.S. think tanks in developing network defense procedures to prevent or rapidly detect these attacks.</p>

<p>APT actors have relied on multiple avenues for initial access. These have included low-effort capabilities such as spearphishing emails and third-party message services directed at both corporate and personal accounts, as well as exploiting vulnerable web-facing devices and remote connection capabilities. Increased telework during the COVID-19 pandemic has expanded workforce reliance on remote connectivity, affording malicious actors more opportunities to exploit those connections and to blend in with increased traffic. Attackers may leverage virtual private networks (VPNs) and other remote work tools to gain initial access or persistence on a victim’s network. When successful, these low-effort, high-reward approaches allow threat actors to steal sensitive information, acquire user credentials, and gain persistent access to victim networks.</p>

<p>Given the importance that think tanks can have in shaping U.S. policy, CISA and FBI urge individuals and organizations in the international affairs and national security sectors to immediately adopt a heightened state of awareness and implement the critical steps listed in the Mitigations section of this Advisory.</p>

<p><a href="">Click here</a> for a PDF version of this report.</p>
<h3>Technical Details</h3><h4>ATT&amp;CK Profile</h4>

<p>CISA created the following MITRE ATT&amp;CK profile to provide a non-exhaustive list of tactics, techniques, and procedures (TTPs) employed by APT actors to break through think tanks’ defenses, conduct reconnaissance in their environments, exfiltrate proprietary or confidential information, and execute effects on targets. These TTPs were included based upon closed reporting on APT actors that are known to target think tanks or based upon CISA incident response data.</p>

<li><em><strong>Initial Access</strong></em> [<a href="">TA0001</a>]

<li><i>Valid Accounts </i>[<a href="">T1078</a>]</li>
<li><i>Valid Accounts: Cloud Accounts </i>[<a href="">T1078.004</a>]</li>
<li><i>External Remote Services </i>[<a href="">T1133</a>]</li>
<li><i>Drive-by Compromise</i> [<a href="">T1189</a>]</li>
<li><i>Exploit Public-Facing Application</i> [<a href="">T1190</a>]
<li><i>Supply Chain Compromise: Compromise Software Supply Chain</i> [<a href="">T1195.002</a>]</li>
<li><i>Trusted Relationship</i> [<a href="">T1199</a>]</li>
<li><i>Phishing: Spearphishing Attachment</i> [<a href="">T1566.001</a>]</li>
<li><i>Phishing: Spearphishing Link</i> [<a href="">T1566.002</a>]</li>
<li><i>Phishing: Spearphishing via Service</i> [<a href="">T1566.003</a>]</li>
<li><i><em><strong>Execution</strong></em></i> [<a href="">TA0002</a>]
<li><i>Windows Management Instrumentation </i>[<a href="">T1047</a>]</li>
<li><i>Scheduled Task/Job: Scheduled Task </i>[<a href="">T1053.005</a>]</li>
<li><i>Command and Scripting Interpreter: PowerShell </i>[<a href="">T1059.001</a>]</li>
<li><i>Command and Scripting Interpreter: Windows Command Shell</i> [<a href="">T1059.003</a>]</li>
<li><i>Command and Scripting Interpreter: Unix Shell</i> [<a href="">T1059.004</a>]</li>
<li><i>Command and Scripting Interpreter: Visual Basic </i>[<a href="">T1059.005</a>]</li>
<li><i>Command and Scripting Interpreter: Python </i>[<a href="">T1059.006</a>]</li>
<li><i>Native API </i>[<a href="">T1106</a>]</li>
<li><i>Exploitation for Client Execution</i> [<a href="">T1203</a>]</li>
<li><i>User Execution: Malicious Link </i>[<a href="">T1204.001</a>]</li>
<li><i>User Execution: Malicious File</i> [<a href="">T1204.002</a>]</li>
<li><i>Inter-Process Communication: Dynamic Data Exchange </i>[<a href="">T1559.002</a>]</li>
<li><i>System Services: Service Execution </i>[<a href="">T1569.002</a>]</li>
<li><i><em><strong>Persistence</strong></em></i> [<a href="">TA0003</a>]
<li><i>Boot or Logon Initialization Scripts: Logon Script (Windows)</i> [<a href="">T1037.001</a>]</li>
<li><i>Scheduled Task/Job: Scheduled Task</i> [<a href="">T1053.005</a>]</li>
<li><i>Account Manipulation: Exchange Email Delegate Permissions </i>[<a href="">T1098.002</a>]</li>
<li><i>Create Account: Local Account</i> [<a href="">T1136.001</a>]</li>
<li><i>Office Application Startup: Office Test </i>[<a href="">T1137.002</a>]</li>
<li><i>Office Application Startup: Outlook Home Page</i> [<a href="">T1137.004</a>]</li>
<li><i>Browser Extensions</i> [<a href="">T1176</a>]</li>
<li><i>BITS Jobs</i> [<a href="">T1197</a>]</li>
<li><i>Server Software Component: Web Shell</i> [<a href="">T1505.003</a>]</li>
<li><i>Pre-OS Boot: Bootkit</i> [<a href="">T1542.003</a>]</li>
<li><i>Create or Modify System Process: Windows Service</i> [<a href="">T1543.003</a>]</li>
<li><i>Event Triggered Execution: Change Default File Association</i> [<a href="">T1546.001</a>]</li>
<li><i>Event Triggered Execution: Windows Management Instrumentation Event Subscription </i>[<a href="">T1546.003</a>]</li>
<li><i>Event Triggered Execution: Accessibility Features</i> [<a href="">T1546.008</a>]</li>
<li><i>Event Triggered Execution: Component Object Model Hijacking</i> [<a href="">T1546.015</a>]</li>
<li><i>Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder </i>[<a href="">T1547.001</a>]</li>
<li><i>Boot or Logon Autostart Execution: Shortcut Modification</i> [<a href="">T1547.009</a>]</li>
<li><i><em><strong>Privilege Escalation</strong></em></i> [<a href="">TA0004</a>]
<li><i>Process Injection</i> [<a href="">T1055</a>]</li>
<li><i>Process Injection: Process Hollowing</i> [<a href="">T1055.012</a>]</li>
<li><i>Exploitation for Privilege Escalation</i> [<a href="">T1068</a>]</li>
<li><i>Access Token Manipulation: Token Impersonation/Theft</i> [<a href="">T1134.001</a>]</li>
<li><i>Event Triggered Execution: Accessibility Features </i>[<a href="">T1546.008</a>]</li>
<li><i>Boot or Logon Autostart Execution: Shortcut Modification</i> [<a href="">T1547.009</a>]</li>
<li><i>Abuse Elevation Control Mechanism: Bypass User Access Control</i> [<a href="">T1548.002</a>]</li>
<li><i>Hijack Execution Flow: DLL Side-Loading</i> [<a href="">T1574.002</a>]</li>
<li><i><em><strong>Defense Evasion</strong></em></i> [<a href="">TA0005</a>]
<li><i>Rootkit</i> [<a href="">T1014</a>]</li>
<li><i>Obfuscated Files or Information: Binary Padding </i>[<a href="">T1027.001</a>]</li>
<li><i>Obfuscated Files or Information: Software Packing </i>[<a href="">T1027.002</a>]</li>
<li><i>Obfuscated Files or Information: Steganography</i> [<a href="">T1027.003</a>]</li>
<li><i>Obfuscated Files or Information: Indicator Removal from Tools</i> [<a href="">T1027.005</a>]</li>
<li><i>Masquerading: Match Legitimate Name or Location</i> [<a href="">T1036.005</a>]</li>
<li><i>Indicator Removal on Host: Clear Windows Event Logs</i> [<a href="">T1070.001</a>]</li>
<li><i>Indicator Removal on Host: Clear Command History</i> [<a href="">1070.003</a>]</li>
<li><i>Indicator Removal on Host: File Deletion</i> [<a href="">T1070.004</a>]</li>
<li><i>Indicator Removal on Host: Timestomp</i> [<a href="">T1070.006</a>]</li>
<li><i>Modify Registry</i> [<a href="">T1112</a>]</li>
<li><i>Deobfuscate/Decode Files or Information </i>[<a href="">T1140</a>]</li>
<li><i>Exploitation for Defense Evasion</i> [<a href="">T1211</a>]</li>
<li><i>Signed Binary Proxy Execution: Compiled HTML File</i> [<a href="">T1218.001</a>]</li>
<li><i><em>Signed Binary Proxy Execution: Mshta</em></i> [<a href="">T1218.005</a>]</li>
<li><i>Signed Binary Proxy Execution:<em> Rundll32 </em></i>[<a href="">T1218.011</a>]</li>
<li><i>Template Injection</i> [<a href="">T1221</a>]</li>
<li><i>Execution Guardrails: Environmental Keying</i> [<a href="">T1480.001</a>]</li>
<li><i>Abuse Elevation Control Mechanism: Bypass User Access Control</i> [<a href="">T1548.002</a>]</li>
<li><i>Use Alternate Authentication Material: Application Access Token</i> [<a href="">T1550.001</a>]</li>
<li><i>Subvert Trust Controls: Code Signing</i> [<a href="">T1553.002</a>]</li>
<li><i>Impair Defenses: Disable or Modify Tools</i> [<a href="">T1562.001</a>]</li>
<li><i>Impair Defenses: Disable or Modify System Firewall</i> [<a href="">T1562.004</a>]</li>
<li><i>Hide Artifacts: Hidden Files and Directories </i>[<a href="">T1564.001</a>]</li>
<li><i>Hide Artifacts: Hidden Window</i> [<a href="">T1564.003</a>]</li>
<li><i><em><strong>Credential Access</strong></em> </i>[<a href="">TA0006</a>]
<li><i>OS Credential Dumping: LSASS Memory</i> [<a href="">T1003.001</a>]</li>
<li><i>OS Credential Dumping: Security Account Manager </i>[<a href="">T1003.002</a>]</li>
<li><i>OS Credential Dumping: NTDS</i> [<a href="">T1003.003</a>]</li>
<li><i>OS Credential Dumping: LSA Secrets</i> [<a href="">T1003.004</a>]</li>
<li><i>OS Credential Dumping: Cached Domain Credentials</i> [<a href="">T1003.005</a>]</li>
<li><i>Network Sniffing</i> [<a href="">T1040</a>]</li>
<li><i>Input Capture: Keylogging</i> [<a href="">T1056.001</a>]</li>
<li><i>Brute Force: Password Cracking</i> [<a href="">T1110.002</a>]<i>Brute Force: Password Spraying</i> [<a href="">T1110.003</a>]</li>
<li><i>Forced Authentication</i> [<a href="">T1187</a>]</li>
<li><i>Steal Application Access Token</i> [<a href="">T1528</a>]</li>
<li><i>Unsecured Credentials: Credentials in Files</i> [<a href="">T1552.001</a>]</li>
<li><i>Unsecured Credentials: Group Policy Preferences</i> [<a href="">T1552.006</a>]</li>
<li><i>Credentials from Password Stores: Credentials from Web Browsers</i> [<a href="">T1555.003</a>]</li>
<li><i><em><strong>Discovery</strong></em> </i>[<a href="">TA0007</a>]
<li><i>System Service Discovery</i> [<a href="">T1007</a>]</li>
<li><i>Query Registry</i> [<a href="">T1012</a>]</li>
<li><i>System Network Configuration Discovery</i> [<a href="">T1016</a>]</li>
<li><i>Remote System Discovery </i>[<a href="">T1018</a>]</li>
<li><i>System Owner/User Discovery</i> [<a href="">T1033</a>]</li>
<li><i>Network Sniffing</i> [<a href="">T1040</a>]</li>
<li><i>Network Service Scanning</i> [<a href="">T1046</a>]</li>
<li><i>System Network Connections Discovery</i> [<a href="">T1049</a>]</li>
<li><i>Process Discovery</i> [<a href="">T1057</a>]</li>
<li><i>Permission Groups Discovery: Local Groups</i> [<a href="">T1069.001</a>]</li>
<li><i>Permission Groups Discovery: Domain Groups</i> [<a href="">T1069.002</a>]</li>
<li><i>System Information Discovery</i> [<a href="">T1082</a>]</li>
<li><i>File and Directory Discovery</i> [<a href="">T1083</a>]</li>
<li><i>Account Discovery: Local Account</i> [<a href="">T1087.001</a>]</li>
<li><i>Account Discovery: Domain Account</i> [<a href="">T1087.002</a>]</li>
<li><i>Peripheral Device Discovery</i> [<a href="">T1120</a>]</li>
<li><i>Network Share Discovery</i> [<a href="">T1135</a>]</li>
<li><i>Password Policy Discovery </i>[<a href="">T1201</a>]</li>
<li><i>Software Discovery: Security Software Discovery</i> [<a href="">T1518.001</a>]</li>
<li><i><em><strong>Lateral Movement </strong></em></i>[<a href="">TA0008</a>]
<li><i>Remote Services: Remote Desktop Protocol</i> [<a href="">T1021.001</a>]</li>
<li><i>Remote Services: SSH </i>[<a href="">T1021.004</a>]</li>
<li><i>Taint Shared Content </i>[<a href="">T1080</a>]</li>
<li><i>Replication Through Removable Media </i>[<a href="">T1091</a>]</li>
<li><i>Exploitation of Remote Services</i> [<a href="">T1210</a>]</li>
<li><i>Use Alternate Authentication Material: Pass the Hash </i>[<a href="">T1550.002</a>]</li>
<li><i>Use Alternate Authentication Material: Pass the Ticket</i> [<a href="">T1550.003</a>]</li>
<li><i><em><strong>Collection</strong></em></i> [<a href="">TA0009</a>]
<li><i>Data from Local System</i> [<a href="">T1005</a>]</li>
<li><i>Data from Removable Media</i> [<a href="">T1025</a>]</li>
<li><i>Data Staged: Local Data Staging</i> [<a href="">T1074.001</a>]</li>
<li><i>Screen Capture</i> [<a href="">T1113</a>]</li>
<li><i>Email Collection: Local Email Collection</i> [<a href="">T1114.001</a>]</li>
<li><i>Email Collection: Remote Email Collection</i> [<a href="">T1114.002</a>]</li>
<li><i>Automated Collection</i> [<a href="">T1119</a>]</li>
<li><i>Audio Capture</i> [<a href="">T1123</a>]</li>
<li><i>Data from Information Repositories: SharePoint </i>[<a href="">T1213.002</a>]</li>
<li><i>Archive Collected Data: Archive via Utility</i> [<a href="">T1560.001</a>]</li>
<li><i>Archive Collected Data: Archive via Custom Method</i> [<a href="">T1560.003</a>]</li>
<li><i><em><strong>Command and Control</strong></em> </i>[<a href="">TA0011</a>]
<li><i>Data Obfuscation: Junk Data</i> [<a href="">T1001.001</a>]</li>
<li><i>Fallback Channels</i> [<a href="">T1008</a>]</li>
<li><i>Application Layer Protocol: Web Protocols</i> [<a href="">T1071.001</a>]</li>
<li><i>Application Layer Protocol: File Transfer Protocols</i> [<a href="">T1071.002</a>]</li>
<li><i>Application Layer Protocol: Mail Protocols</i> [<a href="">T1071.003</a>]</li>
<li><i>Application Layer Protocol: DNS</i> [<a href="">T1071.004</a>]</li>
<li><i>Proxy: External Proxy</i> [<a href="">T1090.002</a>]</li>
<li><i>Proxy: Multi-hop Proxy</i> [<a href="">T1090.003</a>]</li>
<li><i>Proxy: Domain Fronting</i> [<a href="">T1090.004</a>]</li>
<li><i>Communication Through Removable Media</i> [<a href="">T1092</a>]</li>
<li><i>Non-Application Layer Protocol</i> [<a href="">T1095</a>]</li>
<li><i>Web Service: Dead Drop Resolver</i> [<a href="">T1102.001</a>]</li>
<li><i>Web Service: Bidirectional Communication</i> [<a href="">T1102.002</a>]</li>
<li><i>Multi-Stage Channels</i> [<a href="">T1104</a>]</li>
<li><i>Ingress Tool Transfer</i> [<a href="">T1105</a>]</li>
<li><i>Data Encoding: Standard Encoding</i> [<a href="">T1132.001</a>]</li>
<li><i>Remote Access Software</i> [<a href="">T1219</a>]</li>
<li><i>Dynamic Resolution: Domain Generation Algorithms</i> [<a href="">T1568.002</a>]</li>
<li><i>Non-Standard Port</i> [<a href="">T1571</a>]</li>
<li><i>Protocol Tunneling</i> [<a href="">T1572</a>]</li>
<li><i>Encrypted Channel: Symmetric Cryptography</i> [<a href="">T1573.001</a>]</li>
<li><i>Encrypted Channel: Asymmetric Cryptography</i> [<a href="">T1573.002</a>]</li>
<li><i><em><strong><span style="display: none;">&nbsp;</span>Exfiltration</strong> </em></i>[<a href="">TA0010</a>]
<li><i>Exfiltration Over C2 Channel</i> [<a href="">T1041</a>]</li>
<li><i>Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol</i> [<a href="">T1048.003</a>]</li>
<li><i><em><strong>Impact </strong></em></i>[<a href="">TA0040</a>]
<li><i>Data Encrypted for Impact</i> [<a href="">T1486</a>]</li>
<li><i>Resource Hijacking</i> [<a href="">T1496</a>]</li>
<li><i>System Shutdown/Reboot</i> [<a href="">T1529</a>]</li>
<li><i>Disk Wipe: Disk Structure Wipe</i> [<a href="">T1561.002</a>]</li>
<h3>Mitigations</h3><p>CISA and FBI recommend think tank organizations apply the following critical practices to strengthen their security posture.</p>


<li>Implement a training program to familiarize users with identifying social engineering techniques and phishing emails.</li>


<li>Log off remote connections when not in use.</li>
<li>Be vigilant against tailored spearphishing attacks targeting corporate and personal accounts (including both email and social media accounts).</li>
<li>Use different passwords for corporate and personal accounts.</li>
<li>Install antivirus software on personal devices to automatically scan and quarantine suspicious files.</li>
<li>Employ strong multi-factor authentication for personal accounts, if available.</li>
<li>Exercise caution when:
<li>Opening email attachments, even if the attachment is expected and the sender appears to be known. See <a href="">Using Caution with Email Attachments</a>.</li>
<li>Using removable media (e.g., USB thumb drives, external drives, CDs).</li>

<h4>IT Staff/Cybersecurity Personnel</h4>

<li>Segment and segregate networks and functions.</li>
<li>Change the default username and password of applications and appliances.</li>
<li>Employ strong multi-factor authentication for corporate accounts.</li>
<li>Deploy antivirus software on organizational devices to automatically scan and quarantine suspicious files.</li>
<li>Apply encryption to data at rest and data in transit.</li>
<li>Use email security appliances to scan and remove malicious email attachments or links.</li>
<li>Monitor key internal security tools and identify anomalous behavior. Flag any known indicators of compromise or threat actor behaviors for immediate response.</li>
<li>Organizations can implement mitigations of varying complexity and restrictiveness to reduce the risk posed by threat actors who use Tor (The Onion Router) to carry out malicious activities. See the CISA-FBI Joint Cybersecurity Advisory on <a href="">Defending Against Malicious Cyber Activity Originating from Tor</a> for mitigation options and additional information.</li>
<li>Prevent exploitation of known software vulnerabilities by routinely applying software patches and upgrades. Foreign cyber threat actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. If these vulnerabilities are left unpatched, exploitation often requires few resources and provides threat actors with easy access to victim networks. Review CISA and FBI’s <a href="">Top 10 Routinely Exploited Vulnerabilities</a> and other CISA alerts that identify vulnerabilities exploited by foreign attackers.</li>
<li>Implement an antivirus program and a formalized patch management process.</li>
<li>Block certain websites and email attachments commonly associated with malware (e.g., .scr, .pif, .cpl, .dll, .exe).</li>
<li>Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).</li>
<li>Implement Group Policy Object and firewall rules.</li>
<li>Implement filters at the email gateway and block suspicious IP addresses at the firewall.</li>
<li>Routinely audit domain and local accounts as well as their permission levels to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.</li>
<li>Follow best practices for design and administration of the network to limit privileged account use across administrative tiers.</li>
<li>Implement a Domain-Based Message Authentication, Reporting &amp; Conformance (DMARC) validation system.</li>
<li>Disable or block unnecessary remote services.</li>
<li>Limit access to remote services through centrally managed concentrators.</li>
<li>Deny direct remote access to internal systems or resources by using network proxies, gateways, and firewalls.</li>
<li>Limit unnecessary lateral communications.</li>
<li>Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.</li>
<li>Ensure applications do not store sensitive data or credentials insecurely.</li>
<li>Enable a firewall on agency workstations, configured to deny unsolicited connection requests.</li>
<li>Disable unnecessary services on agency workstations and servers.</li>
<li>Scan for and remove suspicious email attachments; ensure any scanned attachment is its "true file type" (i.e., the extension matches the file header).</li>
<li>Monitor users' web browsing habits; restrict access to suspicious or risky sites. Contact law enforcement or CISA immediately regarding any unauthorized network access identified.</li>
<li>Visit the MITRE ATT&amp;CK techniques and tactics pages linked in the ATT&amp;CK Profile section above for additional mitigation and detection strategies for this malicious activity targeting think tanks.</li>
<h3>Contact Information</h3><p>Recipients of this report are encouraged to contribute any additional information that they may have related to this threat. To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at <a href=""></a>, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by email at <a href=""></a>. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. To request incident response resources or technical assistance related to these threats, contact CISA at <a href=""></a>.</p>


<li><a href="">CISA Alert: Microsoft Office 365 Security Recommendations</a></li>
<li><a href="">CISA Alert: Technical Approaches to Uncovering and Remediating Malicious Activity</a></li>
<li><a href="">CISA Webpage: Telework Guidance</a></li>
<li><a href="">CISA Webpage: VPN-Related Guidance</a></li>
<li><a href="">FBI Private Industry Notification: PIN 20200409-001</a></li>
<ul> <li><a href="">[1] CyberScoop: As Europe prepares to vote, Microsoft warns of Fancy Bear attacks on democratic think tanks</a></li> </ul> <h3>Revisions</h3>
<ul> <li>Initial Version: December 1, 2020</li> </ul>
<hr />
<div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p class="privacy-and-terms">This product is provided subject to this <a href="">Notification</a> and this <a href="">Privacy &amp; Use</a> policy.</p>