PowerShellGet 3.0 Preview 12 Release

This post was originally published on this site

We are excited to announce that an update to our preview of PowerShellGet 3.0 is now available on the PowerShell Gallery!

This release includes more parameters, additional pipeline support, more wildcard support and a number of other features detailed below.

How to Install PowerShellGet 3.0 Preview 12

Prerequisites

Please ensure that you have the latest (non-prerelease) version of PowerShellGet and PackageManagement installed. To check the version you currently have installed run the command: Get-InstalledModule PowerShellGet, PackageManagement

The latest version of PowerShellGet is 2.2.5, and the latest version of PackageManagement is 1.4.7.

To install the latest versions of these modules run the following:

Install-Module PowerShellGet -Force -AllowClobber

Installing the Preview

To install this preview release side-by-side with your existing PowerShellGet version, open any PowerShell console and run:

Install-Module PowerShellGet -Force -AllowPrerelease

What to expect in this update

This update adds wildcard and pipeline support for some cmdlets, adds a number of parameters and parameter sets, and includes many bug fixes. Some of the key features and breaking changes are listed below, for the full list of changes please refer to the Changelog.

Features

  • Wildcard support for Find-PSResource -Name
  • Support searching for and returning packages found across multiple repositories when using wildcard with Repository parameter (i.e Find-PSResource “PackageExistingInMultipleRepos” -Repository “*” will perform an exhaustive search).
  • Parameter set for Find-PSResource -Tag
  • Parameter set for Find-PSResource -Type
  • Parameter set for Find-PSResource -CommandName
  • Parameter set for Find-PSResource -DSCResourceName
  • -DestinationPath parameter for Publish-PSResource
  • -NoClobber functionality to Install-PSResource
  • Pipeline support for Install-PSResourceUninstall-PSResourceSave-PSResourceFind-PSResourceGet-PSResourcePublish-PSResourceGet-PSResourceRepositorySet-PSResourceRepositoryRegister-PSResourceRepositoryUnregister-PSResourceRepository
  • Consistent pre-release version support for cmdlets, including Uninstall-PSResource and Get-PSResource. For example, running Get-PSResource “MyPackage” -Version “2.0.0-beta” would only return MyPackage with version “2.0.0” and prerelease “beta”, NOT MyPackage with version “2.0.0.0” (i.e a stable version).
  • -AsNupkg and -IncludeXML parameters for Save-PSResource
  • -PassThru parameter for Install-PSResourceSave-PSResource,Update-PSResource and Unregister-PSResourceRepository
  • -SkipDependencyCheck parameter for Install-PSResourceSave-PSResource and Update-PSResource cmdlets.
  • Progress Bar for Install-PSResourceUpdate-PSResource and Save-PSResource
  • -Quiet parameter for Install-PSResourceSave-PSResource and Update-PSResource (This suppresses the progress bar display when passed in)
  • -AsNupkg and -IncludeXML parameters for Save-PSResource
  • Improved error handling
  • Restore package if installation attempt fails when reinstalling a package.

Breaking Changes

This release reverts the cmdlet name from Get-InstalledPSResource to Get-PSResource.

This release also removes the DSCResource from PowerShellGet, with the intention to continue shipping the DSCResource on the PowerShell Gallery separately from the PowerShellGet module. If the DSCResource is critical for your workload we recommend staying on preview 11 until the resource is available on the Gallery. Currently the DSCResource can also be found in its own GitHub repository. If you are impacted by this change please open an issue in our GitHub repository to ensure your scenario is covered as we move towards GA for this major update.

Features to Expect in Coming Preview Releases

This module is not yet feature complete.
Below is a list of features that we are still in the process of implementing which you can expect to see in future preview releases.

  • We will introduce a New-RequiredResourceFile cmdlet which will create a template file. If the switch -AsPSD1 is used it will create a psd1 file, otherwise it will default to JSON.
  • New-ScriptFileInfo cmdlet
  • Test-ScriptFileInfo cmdlet
  • Update-ScriptFileInfo cmdlet
  • Update-ModuleManifest cmdlet
  • Dependency management. In future releases, Install-PSResource will accept a path to a psd1 or JSON file (using -RequiredResourceFile), or a hash table or JSON (using -RequiredResource) where the key is the module name and the value is either the required version specified using Nuget version range syntax or a hash table where repository is set to the URL of the repository and version contains the Nuget version range syntax.
Install-PSResource -RequiredResource @{
  Configuration = "[1.3.1,2.0]"

  Pester        = @{
    version = "[4.4.2,4.7.0]"
    repository = "https://www.powershellgallery.com"
    credential = $cred
    allowPrerelease = $true
  }
}

In this case the modules named “Configuration”, and “Pester” will be installed. The JSON format will be the same as if this hashtable is passed to ConvertTo-Json:

{
  "Configuration": "[1.3.1,2.0]",

  "Pester": {
    "version": "[4.4.2,4.7.0]",
    "credential": null,
    "repository": "https://www.powershellgallery.com",
    "allowPrerelease": true
  }
}
  • Save-PSResource -Type Library will download nupkgs that have a lib folder in order to make it easier to use arbitrary libraries with PowerShell scripts. The dependent native library in runtimes matching the current system runtime will be copied to the root of the destination specified. An -IncludeAllRuntimes can be used to explicitly retain the runtimes directory hierarchy within the nupkg to the root of the destination.
  • Native credential management/credential persistence for registered PSRepositories
  • For cmdlets with a –URL parameter, the parameter will be renamed to -Uri.

Using the CompatPowerShellGet module

CompatPowerShellGet is a compatibility module that allows use of PowerShellGet 2.x (and below) cmdlet syntax with PowerShellGet 3.0 (and above) functionality by making a best effort mapping between the cmdlet interfaces of both versions of the module. New PowerShell scripts that only leverage PowerShellGet v3 cmdlets do not need to use this compatibility module. For example, if a user has the CompatPowerShellGet module installed and runs the command:

Install-Module PowerShellGet -MinimumVersion 1 -MaximumVersion 2 -AllowPrerelease

the CompatPowerShellGet module will get autoloaded into the PowerShell Session and will map the command to PowerShellGet 3.0 syntax:

Install-PSResource PowerShellGet -Version "[1,2]" -Prerelease" 

The command will then be executed by the PowerShellGet 3.0 implementation. The user will also get a warning to update their script to the new cmdlet interface:

WARNING: The cmdlet 'Install-Module' is deprecated, please use 'Install-PSResource.

This module is designed so that users will not need to immediately update their scripts in order to update to the latest version of PowerShell or to begin taking advantage of the performance improvements already available in PowerShellGet 3.0. We still do recommend that authors begin making the minimal changes required to update their scripts to the new cmdlet interface.

This compatibility module is designed so that it takes precedence over legacy versions of PowerShellGet. If you have this compatibility module installed and would not like it to be used, you can remove it from the PowerShell session using the Remove-Module command.

Please note that this flow is only possible if the user has both the CompatPowerShellGet module installed and the PowerShellGet 3.0 preview module installed. Once PowerShellGet 3.0 is generally available it will be a dependency of CompatPowerShellGet.

Please also note that this compatibility module will not be called if you use fully qualified cmdlets. For example, if you use PowerShellGetInstall-Module this will call a legacy version of PowerShellGet. If this is a common scenario for you, and will be a barrier to migrating to PowerShellGet 3.0 we would appreciate that feedback in our GitHub repository.

Improvements we are Considering post-GA

One important goal of PowerShellGet 3.0 is to improve the supportability of the module. As a result, once this work is complete we will iterate more quickly, and tackle other top customer issues. This list represents issues we are considering tackling, but have not committed to yet.

To track the full list of issues we are considering we are using the vNext milestone in our GitHub Repository.

How to Track the Development of this Module

GitHub is the best place to track the bugs/feature requests related to this module. We have used a combination of projects and labels on our GitHub repo to track issues for this upcoming release. We are using the label Resolved-3.0 to label issues that we plan to release at some point before we release the module as GA (generally available).

To track issues/features for the next release, please refer to this GitHub project.

Timeline/Roadmap

Expect to see preview releases as new functionality is added and bug fixes are made. User feedback will help us determine when we can have a Release Candidate version of the module which will be supported to be used in production. Based on user feedback, if we believe the 3.0 release is complete, then we will publish a 3.0 version of the module as Generally Available. Since these milestones are driven by quality, rather than date, we cannot offer an exact timeline at this point.

How to Give feedback and Get Support

We cannot overstate how critical user feedback is at this stage in the development of the module. Feedback from preview releases help inform design decisions without incurring a breaking change once generally available and used in production.

In order to help us to make key decisions around the behavior of the module please give us feedback by opening issues in our GitHub repository.

Sydney Smith, Amber Erickson, Anam Navied, Paul Higinbotham, Steven Bucher PowerShell Team

The post PowerShellGet 3.0 Preview 12 Release appeared first on PowerShell Team.

Announcing PowerShell Crescendo Release Candidate (RC)

This post was originally published on this site

Announcing Crescendo 0.9.0 Release Candidate (RC)

We are pleased to announce the Release Candidate (RC) of PowerShell Crescendo, a framework to
rapidly develop PowerShell cmdlets for native commands, regardless of platform.

The release candidate is now available for download on the
PowerShell Gallery.

To install Microsoft.PowerShell.Crescendo:

Install-Module Microsoft.PowerShell.Crescendo -AllowPrerelease

Crescendo Release Candidate Updates

Crescendo 0.9.0 Release Candidate adds support for a versioned schema and fixes scenarios
suggested by the community.

  • Added versioned schema to support future updates.
    Issue #112
  • Fixed quoting empty string parameter values.
    Issue #100
  • Fixed showing OriginalCommand in help example unless specified.
    Issue #57

Schema versioning

With this release of Crescendo, the JSON schema for the configuration is now versioned. While we
don’t expect there to be any changes, supporting a versioned schema makes is easier to support
changes in future releases.

The URL for the current version of the schema is: https://aka.ms/PowerShell/Crescendo/Schemas/2021-11.

Support for empty string parameter values

Crescendo now supports parameters that accept empty strings as argument values. The proxy cmdlet
created by Crescendo now recognizes an empty string provided as parameter value and ensures that the
empty string is passed as "" to the native executable.

For a more detailed example use case, see
Issue #100.

Displaying OriginalCommand in Help

The OriginalCommand property of a cmdlet definition is intended to contain the original native
command and parameters invoked by the proxy cmdlet. This information is display by Get-Help. With
this release, if the OriginalCommand property is empty, no placeholder is written to the
comment-based help when the module is exported.

More information

For more information about Microsoft.PowerShell.Crescendo, check out the previous posts on the
PowerShell Team blog.

For more information using Microsoft.PowerShell.Crescendo, check out this excellent blog series
by Sean Wheeler on the
PowerShell Community blog.

Future plans

The plans for the general availability (GA) release will be based on community feedback. Our goal is
to make it easier to convert your native commands to PowerShell cmdlets and receive the benefits
that PowerShell provides.

We value your ideas and feedback and hope you will give Crescendo a try. Stop by our
GitHub repository and let us know of any issues you find
or features you would like added.

The post Announcing PowerShell Crescendo Release Candidate (RC) appeared first on PowerShell Team.

Skyline Insights API – Collaborate on Skyline Findings in Slack

This post was originally published on this site

Tweet With the release of “VMware Skyline Advisor Pro”, the Skyline Insights API is made available. With the new API, you can query and script to receive Skyline’s Proactive Findings data. Even without Skyline Insights API, you were able to export Findings to CSV. Do you want to send the Findings data to slack so you and your team can take action? In some organizations, VMware admins might not go into Skyline Advisor to … Continued

The post Skyline Insights API – Collaborate on Skyline Findings in Slack appeared first on VMware Support Insider.

Skyline Insights API – Using Powercli

This post was originally published on this site

Tweet We understand that not all administrators are using Linux or Mac OSX. Here are the steps to use the Skyline Insight API when in Windows. NOTE: Please review this blog entry before proceeding. You need to do the prerequisites prior to using Powercli. Add “API User role” Create API Token In order to create … Continued

The post Skyline Insights API – Using Powercli appeared first on VMware Support Insider.

Skyline Insights API – Using GraphiQL

This post was originally published on this site

Tweet With VMware Skyline Advisor Pro, GraphiQL has been made available to view the Skyline Insights API structure. While you cannot leverage GraphiQL into any of your automation platforms, you can use it to view the data structure and output. Here are the steps to use GraphiQL.  1 – Create “Access Token” from “API Token”. Please check for more comprehensive writeup (here) 2 – Log into Advisor and select “View API Explorer” 3 – select … Continued

The post Skyline Insights API – Using GraphiQL appeared first on VMware Support Insider.

Skyline Insights API – Getting Started

This post was originally published on this site

Tweet With the release of “VMware Skyline Advisor Pro”, the Skyline Insights API is made available. Here are the steps you need to perform to have a working environment. Please read the “API Documentation” thoroughly to ensure you know all the steps and options.  NOTE: Please make sure you have also installed “jq” (if you are on a Mac). Else, remove “jq” from commands … Continued

The post Skyline Insights API – Getting Started appeared first on VMware Support Insider.

New – FreeRTOS Extended Maintenance Plan for Up to 10 Years

This post was originally published on this site

Last AWS re:Invent 2020, we announced FreeRTOS Long Term Support (LTS) that offers a more stable foundation than standard releases, as manufacturers deploy and later update devices in the field. FreeRTOS is an open source, real-time operating system for microcontrollers that makes small, low-power edge devices easy to program, deploy, secure, connect, and manage.

In 2021, FreeRTOS LTS released 202012.01 to include AWS IoT Over-the-Air (OTA) update, AWS IoT Device Defender, and AWS IoT Jobs libraries that provides feature stability, security patches, and critical bug fixes for the next two years.

Today, I am happy to announce FreeRTOS Extended Maintenance Plan (EMP), which allows embedded developers to receive critical bug fixes and security patches on their chosen FreeRTOS LTS version for up to 10 years beyond the expiry of the initial LTS period. FreeRTOS EMP lets developers improve device security (or helps keep devices secure) for years, save on operating system upgrade costs, and reduce the risks associated with patching their devices.

FreeRTOS EMP applies to libraries covered by FreeRTOS LTS. Therefore, developers have device lifecycles longer than the LTS period of 2 years and can continue using a version that provides feature stability, security patches, and critical bug fixes, all without having to plan a costly version upgrade.

Here are main features of FreeRTOS EMP:

Features Description Why is it important?
Feature stability Get FreeRTOS libraries that maintain the same set of features for years Save upgrade costs by using a stable FreeRTOS codebase for their product lifecycle
API stability Get FreeRTOS libraries that have stable APIs for years
Critical fixes Receive security patches and critical bug* fixes on your chosen FreeRTOS libraries Security patches help keep their IoT devices secure for the product lifecycle
Notification of patches Receive timely notification upcoming patches Timely awareness of security patches helps proactively plan the deployment of patches
Flexible subscription plan Extend maintenance by a year or longer Continue to renew their annual subscription for a longer period to keep the same version for the entire device lifecycle, or for a shorter period to buy time before upgrading to the latest FreeRTOS version.

* A critical bug is a defect determined by AWS to impact the functionality of the affected library and has no reasonable workaround.

Getting Started with FreeRTOS EMP
To get started, subscribe to the plan using your AWS account, and renew the subscription annually or for a longer period to either cover their product lifecycle or until you are ready to transition to a new FreeRTOS LTS release.

Before the end of the current LTS period, you will be able to use your AWS account to complete the FreeRTOS EMP registration on the FreeRTOS console, review and agree to the associated terms and conditions, select the LTS version, and buy an annual subscription. You will then gain access to the private repository where you’ll receive .zip files containing a git repo with chosen libraries, patches, and related notifications.

Under NDA, AWS will notify you via official AWS Security channels of an upcoming patch and its timelines (if AWS is reasonably able to do so and deems it appropriate). Patches will be sent to your private repository within three business days of successfully implementing and getting AWS Security approval for our mitigation.

AWS will provide technical support for FreeRTOS EMP customers via separate subscriptions to AWS Support. AWS Support is not included in FreeRTOS EMP subscriptions. You can track issues such as AWS accounts, billing, and bugs, or get access to technical experts such as patch integration issues based on your AWS Support plan.

Available Now
FreeRTOS EMP will be available for the current and all previous FreeRTOS LTS releases. Subscriptions can be renewed annually for up to 10 years from the end of the chosen LTS version’s support period. For example, a subscription for FreeRTOS 202012.01 LTS, whose LTS period ends March 2023, may be renewed annually for up to 10 years (i.e., March 2033).

You can find more information on the FreeRTOS feature page. Please send us feedback on the forum of FreeRTOS or AWS Support.

Sign up to get periodic updates on when and how you can subscribe to FreeRTOS EMP.

Channy

AWS re:Post – A Reimagined Q&A Experience for the AWS Community

This post was originally published on this site

The internet is an excellent resource for well-intentioned guidance and answers. However, it can sometimes be hard to tell if what you’re reading is, in fact, advice you should follow. Also, some users have a preference toward using a single, trusted online community rather than the open internet to provide them with reliable, vetted, and up-to-date answers to their questions.

Today, I’m happy to announce AWS re:Post, a new, question and answer (Q&A) service, part of the AWS Free Tier, that is driven by the community of AWS customers, partners, and employees. AWS re:Post is an AWS-managed Q&A service offering crowd-sourced, expert-reviewed answers to your technical questions about AWS that replaces the original AWS Forums. Community members can earn reputation points to build up their community expert status by providing accepted answers and reviewing answers from other users, helping to continually expand the availability of public knowledge across all AWS services.

AWS re:Post home page

You’ll find AWS re:Post to be an ideal resource when:

  • You are building an application using AWS, and you have a technical question about an AWS service or best practices.
  • You are learning about AWS or preparing for an AWS certification, and you have a question on an AWS service.
  • Your team is debating issues related to design, development, deployment, or operations on AWS.
  • You’d like to share your AWS expertise with the community and build a reputation as a community expert.

Example of a question and answer in AWS re:Post

There is no requirement to sign in to AWS re:Post to browse the content. For users who do choose to sign in, using their AWS account, there is the opportunity to create a profile, post questions and answers, and interact with the community. Profiles enable users to link their AWS certifications through Credly and to indicate interests in specific AWS technology domains, services, and experts. AWS re:Post automatically shares new questions with these community experts based on their areas of expertise, improving the accuracy of responses as well as encouraging responses for unanswered questions. An opt-in email is also available to receive email notifications to help users stay informed.

User profile in the re:Post community

Over the last four years, AWS re:Post has been used internally by AWS employees helping customers with their cloud journeys. Today, that same trusted technical guidance becomes available to the entire AWS community. Additionally, all active users from the previous AWS Forums have been migrated onto AWS re:Post, as well as the most-viewed content.

Questions from AWS Premium Support customers that do not receive a response from the community are passed on to AWS Support engineers. If the question is related to a customer-specific workload, AWS support will open a support case to take the conversation into a private setting. Note, however, that AWS re:Post is not intended to be used for questions that are time-sensitive or involve any proprietary information, such as customer account details, personally identifiable information, or AWS account resource data.

AWS Support Engineer presence on re:Post

Have Questions? Need Answers? Try AWS re:Post Today
If you have a technical question about an AWS service or product or are eager to get started on your journey to becoming a recognized community expert, I invite you to get started with AWS re:Post today!

New – Sustainability Pillar for AWS Well-Architected Framework

This post was originally published on this site

The AWS Well-Architected Framework has been helping AWS customers improve their cloud architectures since 2015. The framework consists of design principles, questions, and best practices across multiple pillars: Operational Excellence, Security, Reliability, Performance Efficiency, and Cost Optimization.

Today we are introducing a new Sustainability Pillar to help organizations learn, measure, and improve their workloads using environmental best practices for cloud computing.

Similar to the other pillars, the Sustainability Pillar contains questions aimed at evaluating the design, architecture, and implementation of your workloads to reduce their energy consumption and improve their efficiency. The pillar is designed as a tool to track your progress toward policies and best practices that support a more sustainable future, not just a simple checklist.

The Shared Responsibility Model of Cloud Sustainability
The shared responsibility model also applies to sustainability. AWS is responsible for the sustainability of the cloud, while AWS customers are responsible for sustainability in the cloud.

The sustainability of the cloud allows AWS customers to reduce associated energy usage by nearly 80% with respect to a typical on-premises deployment. This is possible because of the much higher server utilization, power and cooling efficiency, custom data center design, and continued progress on the path to powering AWS operations with 100% renewable energy by 2025. But we can achieve much more by collectively designing sustainable architectures.

We are introducing the new Sustainability Pillar to help organizations improve their sustainability in the cloud. This is a continuous effort focused on energy reduction and efficiency of all types of workloads. In practice, the pillar helps developers and cloud architects surface the trade-offs, highlight patterns and best practices, and avoid anti-patterns. For example, selecting an efficient programming language, adopting modern algorithms, using efficient data storage techniques, and deploying correctly sized and efficient infrastructure.

Specifically, the pillar is designed to support organizations in developing a better understanding of the state of their workloads, as well as the impact related to defined sustainability targets, how to measure against these targets, and how to model where they cannot directly measure.

In addition to building sustainable workloads in the cloud, you can use AWS technology to solve broader sustainability challenges. For example, reducing the environmental incidents caused by industrial equipment failure using Amazon Monitron to detect abnormal behavior and conduct preventative maintenance. We call this sustainability through the cloud.

Well-Architected Design Principles for Sustainability in the Cloud
The Sustainability Pillar includes design principles and operational guidance, as well as architectural and software patterns.

The design principles will facilitate good design for sustainability:

  • Understand your impact – Measure business outcomes and the related sustainability impact to establish performance indicators, evaluate improvements, and estimate the impact of proposed changes over time.
  • Establish sustainability goals – Set long-term goals for each workload, model return on investment (ROI) and give owners the resources to invest in sustainability goals. Plan for growth and design your architecture to reduce the impact per unit of work such as per user or per operation.
  • Maximize utilization – Right size each workload to maximize the energy efficiency of the underlying hardware, and minimize idle resources.
  • Anticipate and adopt new, more efficient hardware and software offerings – Support upstream improvements by your partners, continually evaluate hardware and software choices for efficiencies, and design for flexibility to adopt new technologies over time.
  • Use managed services – Shared services reduce the amount of infrastructure needed to support a broad range of workloads. Leverage managed services to help minimize your impact and automate sustainability best practices such as moving infrequent accessed data to cold storage and adjusting compute capacity.
  • Reduce the downstream impact of your cloud workloads – Reduce the amount of energy or resources required to use your services and reduce the need for your customers to upgrade their devices; test using device farms to measure impact and test directly with customers to understand the actual impact on them.

Well-Architected Best Practices for Sustainability
The design principles summarized above correspond to concrete architectural best practices that development teams can apply every day.

Some examples of architectural best practices for sustainability:

  • Optimize geographic placement of workloads for user locations
  • Optimize areas of code that consume the most time or resources
  • Optimize impact on customer devices and equipment
  • Implement a data classification policy
  • Use lifecycle policies to delete unnecessary data
  • Minimize data movement across networks
  • Optimize your use of GPUs
  • Adopt development and testing methods that allow rapid introduction of potential sustainability improvements
  • Increase the utilization of your build environments

Many of these best practices are generic and apply to all workloads, while others are specific to some use cases, verticals, and compute platforms. I’d highly encourage you to dive into these practices and identify the areas where you can achieve the most impact immediately.

Transforming sustainability into a non-functional requirement can result in cost effective solutions and directly translate to cost savings on AWS, as you only pay for what you use. In some cases, meeting these non-functional targets might involve tradeoffs in terms of uptime, availability, or response time. Where minor tradeoffs are required, the sustainability improvements are likely to outweigh the change in quality of service. It’s important to encourage teams to continuously experiment with sustainability improvements and embed proxy metrics in their team goals.

Available Now
The AWS Well-Architected Sustainability Pillar is a new addition to the existing framework. By using the design principles and best practices defined in the Sustainability Pillar Whitepaper, you can make informed decisions balancing security, cost, performance, reliability, and operational excellence with sustainability outcomes for your workloads on AWS.

Learn more about the new Sustainability Pillar.

Alex

AA21-336A: APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus

This post was originally published on this site

Original release date: December 2, 2021

Summary

This joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9. See the ATT&CK for Enterprise framework for referenced threat actor techniques and for mitigations.

This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability (CVE-2021-44077) in Zoho ManageEngine ServiceDesk Plus—IT help desk software with asset management.

CVE-2021-44077, which Zoho rated critical, is an unauthenticated remote code execution (RCE) vulnerability affecting all ServiceDesk Plus versions up to, and including, version 11305. This vulnerability was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above. The FBI and CISA assess that advanced persistent threat (APT) cyber actors are among those exploiting the vulnerability. Successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. 

The Zoho update that patched this vulnerability was released on September 16, 2021, along with a security advisory. Additionally, an email advisory was sent to all ServiceDesk Plus customers with additional information. Zoho released a subsequent security advisory on November 22, 2021, and advised customers to patch immediately.

The FBI and CISA are aware of reports of malicious cyber actors likely using exploits against CVE-2021-44077 to gain access [T1190] to ManageEngine ServiceDesk Plus, as early as late October 2021. The actors have been observed using various tactics, techniques and procedures (TTPs), including:

  • Writing webshells [T1505.003] to disk for initial persistence
  • Obfuscating and Deobfuscating/Decoding Files or Information [T1027 and T1140]
  • Conducting further operations to dump user credentials [T1003]
  • Living off the land by only using signed Windows binaries for follow-on actions [T1218]
  • Adding/deleting user accounts as needed [T1136]
  • Stealing copies of the Active Directory database (NTDS.dit) [T1003.003] or registry hives
  • Using Windows Management Instrumentation (WMI) for remote execution [T1047]
  • Deleting files to remove indicators from the host [T1070.004]
  • Discovering domain accounts with the net Windows command [T1087.002]
  • Using Windows utilities to collect and archive files for exfiltration [T1560.001]
  • Using custom symmetric encryption for command and control (C2) [T1573.001]

The FBI and CISA are proactively investigating this malicious cyber activity:

  • The FBI leverages specially trained cyber squads in each of its 56 field offices and CyWatch, the FBI’s 24/7 operations center and watch floor, which provides around-the-clock support to track incidents and communicate with field offices across the country and partner agencies. 
  • CISA offers a range of no-cost cyber hygiene services to help organizations assess, identify, and reduce their exposure to threats. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors. 

Sharing technical and/or qualitative information with the FBI and CISA helps empower and amplify our capabilities as federal partners to collect and share intelligence and engage with victims, while working to unmask and hold accountable those conducting malicious cyber activities.

A STIX file will be provided when available.

For a downloadable pdf of this CSA, click here

Technical Details

Compromise of the affected systems involves exploitation of CVE-2021-44077 in ServiceDesk Plus, allowing the attacker to:

  1. Achieve an unrestricted file upload through a POST request to the ServiceDesk REST API URL and upload an executable file, C:ManageEngineServicedeskbinmsiexec.exe, with a SHA256 hash of ecd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7. This executable file serves as a dropper and contains an embedded, encoded Godzilla JAR file.
  2. Gain execution for the dropper through a second POST request to a different REST API URL, which will then decode the embedded Godzilla JAR file and drop it to the filepath C:ManageEngineServiceDesklibtomcattomcat-postgres.jar with a SHA256 hash of 67ee552d7c1d46885b91628c603f24b66a9755858e098748f7e7862a71baa015.

Confirming a successful compromise of ManageEngine ServiceDesk Plus may be difficult—the attackers are known to run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the webshell.

Targeted Industries 

APT cyber actors have targeted Critical Infrastructure Sector industries, including the healthcare, financial services, electronics and IT consulting industries.

Indicators of Compromise 

Hashes

Webshell:

67ee552d7c1d46885b91628c603f24b66a9755858e098748f7e7862a71baa015
068D1B3813489E41116867729504C40019FF2B1FE32AAB4716D429780E666324
759bd8bd7a71a903a26ac8d5914e5b0093b96de61bf5085592be6cc96880e088
262cf67af22d37b5af2dc71d07a00ef02dc74f71380c72875ae1b29a3a5aa23d
a44a5e8e65266611d5845d88b43c9e4a9d84fe074fd18f48b50fb837fa6e429d
ce310ab611895db1767877bd1f635ee3c4350d6e17ea28f8d100313f62b87382
75574959bbdad4b4ac7b16906cd8f1fd855d2a7df8e63905ab18540e2d6f1600
5475aec3b9837b514367c89d8362a9d524bfa02e75b85b401025588839a40bcb

Dropper:

ecd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7

Implant:

009d23d85c1933715c3edcccb46438690a66eebbcccb690a7b27c9483ad9d0ac 
083bdabbb87f01477f9cf61e78d19123b8099d04c93ef7ad4beb19f4a228589a
342e85a97212bb833803e06621170c67f6620f08cc220cf2d8d44dff7f4b1fa3

NGLite Backdoor:

805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f
3da8d1bfb8192f43cf5d9247035aa4445381d2d26bed981662e3db34824c71fd
5b8c307c424e777972c0fa1322844d4d04e9eb200fe9532644888c4b6386d755
3f868ac52916ebb6f6186ac20b20903f63bc8e9c460e2418f2b032a207d8f21d
342a6d21984559accbc54077db2abf61fd9c3939a4b09705f736231cbc7836ae
7e4038e18b5104683d2a33650d8c02a6a89badf30ca9174576bf0aff08c03e72

KDC Sponge:

3c90df0e02cc9b1cf1a86f9d7e6f777366c5748bd3cf4070b49460b48b4d4090
b4162f039172dcb85ca4b85c99dd77beb70743ffd2e6f9e0ba78531945577665
e391c2d3e8e4860e061f69b894cf2b1ba578a3e91de610410e7e9fa87c07304c

Malicious IIS Module:

bec067a0601a978229d291c82c35a41cd48c6fca1a3c650056521b01d15a72da

Renamed WinRAR:

d0c3d7003b7f5b4a3bd74a41709cfecfabea1f94b47e1162142de76aa7a063c7

Renamed csvde:

7d2780cd9acc516b6817e9a51b8e2889f2dec455295ac6e6d65a6191abadebff

Network Indicators

POST requests sent to the following URLs:

/RestAPI/ImportTechnicians?step=1

Domains:

seed.nkn[.]org

Note: the domain seed.nkn[.]org is a New Kind of Network (NKN) domain that provides legitimate peer to peer networking services utilizing blockchain technology for decentralization. It is possible to have false positive hits in a corporate network environment and it should be considered suspicious to see any software-initiated contacts to this domain or any subdomain.

Log File Analysis

  • Check serverOut*.txt log files under C:ManageEngineServiceDesklogs for suspicious log entries matching the following format:
    • [<time>]|[<date>]|[com.adventnet.servicedesk.setup.action.ImportTechniciansAction]|[INFO]|[62]: fileName is : msiexec.exe]

Filepaths

C:ManageEngineServiceDeskbinmsiexec.exe
C:ManageEngineServiceDesklibtomcattomcat-postgres.jar
C:WindowsTempScriptModule.dll
C:ManageEngineServiceDeskbinScriptModule.dll
C:Windowssystem32ME_ADAudit.exe
c:Users[username]AppDataRoamingADManagerME_ADManager.exe
%ALLUSERPROFILE%MicrosoftWindowsCachessystem.dat
C:ProgramDataMicrosoftCryptoRSAkey.dat
c:windowstempccc.exe

Tactics, Techniques, and Procedures

  • Using WMI for lateral movement and remote code execution (in particular, wmic.exe)
  • Using plaintext credentials for lateral movement
  • Using pg_dump.exe to dump ManageEngine databases
  • Dumping NTDS.dit and SECURITY/SYSTEM/NTUSER registry hives
  • Active credential harvesting through LSASS (KDC Sponge)
  • Exfiltrating through webshells
  • Conducting exploitation activity often through other compromised U.S. infrastructure
  • Dropping multiple webshells and/or implants to maintain persistence
  • Using renamed versions of WinRAR, csvde, and other legitimate third-party tools for reconnaissance and exfiltration

Yara Rules

rule ReportGenerate_jsp {
   strings:
      $s1 = “decrypt(fpath)”
      $s2 = “decrypt(fcontext)”
      $s3 = “decrypt(commandEnc)”
      $s4 = “upload failed!”
      $s5 = “sevck”
      $s6 = “newid”
   condition:
      filesize < 15KB and 4 of them
}

 

rule EncryptJSP {
   strings:
      $s1 = “AEScrypt”
      $s2 = “AES/CBC/PKCS5Padding”
      $s3 = “SecretKeySpec”
      $s4 = “FileOutputStream”
      $s5 = “getParameter”
      $s6 = “new ProcessBuilder”
      $s7 = “new BufferedReader”
      $s8 = “readLine()”
   condition:
      filesize < 15KB and 6 of them
}

 

rule ZimbraImplant {
    strings:
        $u1 = “User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36”
        $u2 = “Content-Type: application/soap+xml; charset=UTF-8”
        $u3 = “/service/soap”
        $u4 = “Good Luck :::)”
        $s1 = “zimBR”
        $s2 = “log10”
        $s3 = “mymain”
        $s4 = “urn:zimbraAccount”
        $s5 = “/service/upload?fmt=extended,raw”
        $s6 = “<query>(in:”inbox” or in:”junk”) is:unread</query>”
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 2MB and 1 of ($u*) and 3 of ($s*)
}

 

rule GodzillaDropper {
    strings:
        $s1 = “UEsDBAoAAAAAAI8UXFM” // base64 encoded PK/ZIP header
        $s2 = “../lib/tomcat/tomcat-postgres.jar”
        $s3 = “RunAsManager.exe”
        $s4 = “ServiceDesk”
        $s5 = “C:Userspwndocumentsvisual studio 2015Projectspayloaddll”
        $s6 = “CreateMutexA”
        $s7 = “cplusplus_me”
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 350KB and 4 of them
}

 

rule GodzillaJAR {
    strings:
        $s1 = “org/apache/tomcat/SSLFilter.class”
        $s2 = “META-INF/services/javax.servlet.ServletContainerInitializer”
        $s3 = “org/apache/tomcat/MainFilterInitializer.class”
    condition:
        uint32(0) == 0x04034B50 and filesize < 50KB and all of them
}

 

rule APT_NGLite {
    strings:
        $s1 = “/mnt/hgfs/CrossC2-2.2”
        $s2 = “WHATswrongwithU”
        $s3 = “//seed.nkn.org:”
        $s4 = “Preylistener”
        $s5 = “preyid”
        $s6 = “Www-Authenticate”
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 15MB and 4 of them
}

 

rule KDCSponge {
    strings:
        $k1 = “kdcsvc.dll”
        $k2 = “kdccli.dll”
        $k3 = “kdcsvs.dll”
        $f1 = “KerbHashPasswordEx3”
        $f2 = “KerbFreeKey”
        $f3 = “KdcVerifyEncryptedTimeStamp”
        $s1 = “download//symbols//%S//%S//%S” wide
        $s2 = “KDC Service”
        $s3 = “system.dat”
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 1MB and 1 of ($k*) and 1 of ($f*) and 1 of ($s*)

Mitigations

Compromise Mitigations

Organizations that identify any activity related to ManageEngine ServiceDesk Plus indicators of compromise within their networks should take action immediately. 

Zoho ManageEngine ServiceDesk Plus build 11306, or higher, fixes CVE-2021-44077. ManageEngine initially released a patch for this vulnerability on September 16, 2021. A subsequent security advisory was released on November 22, 2021, and advised customers to patch immediately. Additional information can be found in the Zoho security advisory released on November 22, 2021.

In addition, Zoho has set up a security response plan center that provides additional details, a downloadable tool that can be run on potentially affected systems, and a remediation guide.

FBI and CISA also strongly recommend domain-wide password resets and double Kerberos TGT password resets if any indication is found that the NTDS.dit file was compromised. 

Note: Implementing these password resets should not be taken as a comprehensive mitigation in response to this threat; additional steps may be necessary to regain administrative control of your network. Refer to your specific products mitigation guidance for details. 

Actions for Affected Organizations

Immediately report as an incident to CISA or the FBI (refer to Contact information section below) the existence of any of the following:

  • Identification of indicators of compromise as outlined above.
  • Presence of webshell code on compromised ServiceDesk Plus servers.
  • Unauthorized access to or use of accounts.
  • Evidence of lateral movement by malicious actors with access to compromised systems.
  • Other indicators of unauthorized access or compromise.

Contact Information

Recipients of this report are encouraged to contribute any additional information that they may have related to this threat. 

For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:

Revisions

  • December 2, 2021: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.