All posts by David

Security

CVE-2017-11882 Will Never Die, (Wed, Aug 13th)

Leave a comment
This post was originally published on this site

One of the key messages broadcasted by security professionals is: "Patch, patch and patch again!". But they are nasty vulnerabilities that remain exploited by attackers even if they are pretty old. %%cve:2017-11882%% is one of them: this remote code execution affects Microsoft Office and, more precisely, the good old "Equation Editor". This tool was even killed by Microsoft due to numerous security issues[1]. But it still remains used by attackers to spread modern malware. 

Security

Microsoft August 2025 Patch Tuesday, (Tue, Aug 12th)

Leave a comment
This post was originally published on this site

This month's Microsoft patch update addresses a total of 111 vulnerabilities, with 17 classified as critical. Among these, one vulnerability was disclosed prior to the patch release, marking it as a zero-day. While none of the vulnerabilities have been exploited in the wild, the critical ones pose significant risks, including remote code execution and elevation of privilege. Users are strongly advised to apply the updates promptly to safeguard their systems against potential threats.

Security

Google Paid Ads for Fake Tesla Websites, (Sun, Aug 10th)

Leave a comment
This post was originally published on this site

In recent media events, Tesla has demoed progressively more sophisticated versions of its Optimus robots. The sales pitch is pretty simple: "Current AI" is fun, but what we really need is not something to create more funny kitten pictures. We need AI to load and empty dishwashers, fold laundry, and mow lawns. But the robot has not been for sale yet, and there is no firm release date.

Security

Mass Internet Scanning from ASN 43350 [Guest Diary], (Thu, Aug 7th)

Leave a comment
This post was originally published on this site

[This is a Guest Diary by Duncan Woosley, an ISC intern as part of the SANS.edu BACS program]

During the last three months I've had a DShield sensor online and collecting data from a deployment in AWS. This week I did some statistical analysis of the last three months of data and found surprising result. Of all the locations that scanned and attacked the DShield sensor, one location was a clear winner in terms of volume of traffic, accounting for over 65% of the total traffic sent to the sensor. To my surprise, that location was Panama!

Total DShield Sensor Traffic per Location

The top 10 locations were close to inline with common expectations, however, the traffic from Panama was greater than the total traffic from all the remaining locations combined!

Digging into the source of this anomaly, I filtered for traffic by day and found that there were massive spikes on just a few days in the last three months that accounted for most of the DShield sensor's captured volume.

Largest Single Days by volume from April 7th to July 7th

Each spike was found to be caused by traffic from a single IP each day, but the IP responsible for each spike was different. However, six of the top ten most active IPs were all from a single /24 subnet! The subnet 141.98.80.0/24 was the cause of 59.4% of total logs collected by the sensor. Moreover, nine of the top 10 IPs were from the same internet service provider (ISP) named "NForce Entertainment B.V."

Autonomous System Numbers (ASN) 43350 accounted for 71.6% of the total sensor logs! This ASN belonging to NForce Entertainment but NForce Entertainment appears to often lease out its IP space to other VPN and proxy providers like the Panama based Flyservers S.A. Flyservers is categorized as a "potentially very high fraud risk ISP" by Scamalytics and is likely the source of this activity.

Top ASNs by Total Traffic

Further research into this ISP found that the NForce Entertainment IP activity was often associated with phishing, malware, and scanning. As a Dutch ISP, they operate without strict regulatory oversight or pressure from their host nation to revoke threat actors’ use of their services.

Recommendations

Unfortunately, the solution for network defenders isn't as simple as blocking all traffic from NForce Entertainment. If your organization is in a position where no NForce Entertainment traffic is required for business, this may be an option, but the majority of organizations don’t allow sweeping IP blocking. Instead, I would recommend blocking only sensitive services and HTTP(S) endpoints that allow for logins. The following actions are recommended.

•    Flagging traffic from NForce Entertainment and particularly from ASN 43350.
•    Block access to Remote Desktop Protocol from the internet.
•    Monitor for SSH activity from ASN 43350 and configured SSH to use key based authentication.
•    Implement a Web Application Firewall (WAF) for all web applications and monitor activity originating from any sources for suspicious queries.
•    Create a WAF alert threshold for high traffic originating from a single source.

[1] https://www.arin.net/resources/guide/asn/
[2] https://scamalytics.com
[3] https://owasp.org/www-community/Web_Application_Firewall
[4] https://www.sans.edu/cyber-security-programs/bachelors-degree/

NOTE: ChatGTP was used for Spelling and grammar checks only
———–
Guy Bruneau IPSS Inc.
My GitHub Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Security

Do sextortion scams still work in 2025?, (Wed, Aug 6th)

Leave a comment
This post was originally published on this site

Sextortion e-mails have been with us for quite a while, and these days, most security professionals tend to think of them more in terms of an “e-mail background noise” rather than as if they posed any serious threat. Given that their existence is reasonably well-known even among general public, this viewpoint would seem to be justified… But are sextortion messages really irrelevant as a threat at this point, and can we therefore safely omit this topic during security awareness trainings?

Powershell

Introducing MCP Support in AI Shell Preview 6

Leave a comment
This post was originally published on this site

AI Shell Preview 6 is here!

We are super excited to announce the latest preview release of AI Shell. This release focuses on
enhancing the user experience with new features, improved error handling, and better integration
with Model Context Protocol (MCP) tools.

What’s new at a glance

  • MCP client integration
  • Built-in tools
  • Resolve-Error command improvements
  • Aliases and flows for staying in your terminal

MCP Integration

AI Shell now acts as an MCP client, which allows you to add any MCP server to your AI Shell
experience. Connecting to an MCP server massively improves the capability of your AI Shell giving
you the tools that provide more relevant data or carry out actions!

AI Shell MCP Client

Adding MCP Servers

To add an MCP server, create an mcp.json file in $HOME.aish folder. The following example
shows two MCP servers: everything and filesystem. You can add any MCP servers you want.

{
    "servers": {
      "everything":{
        "type":"stdio",
        "command":"npx",
        "args":["-y", "@modelcontextprotocol/server-everything"]
      },
      "filesystem": {
        "type": "stdio",
        "command": "npx",
        "args": [
          "-y",
          "@modelcontextprotocol/server-filesystem",
          "C:/Users/username/"
        ]
      }
    }
  }

If it’s a remote MCP server, change the type to https. You know that you have successfully added
an MCP server when you see it in the AI Shell UI. You can confirm that it’s running by checking the
status of the server through the /mcp command. Using /mcp also lists each MCP Server and the
tools available.

Screenshot of MCP servers registered in AI Shell

NOTE

You must have Node.js or uv installed to use MCP servers that
use those command lines tools.

Standalone experience with AI Shell and MCP Servers

MCP servers enhance your standalone experience with AI Shell, allowing your command line to use MCP
servers and AI to perform tasks. For example, @simonb97/server-win-cli is an MCP server that
allows you to run commands on your Windows machine, whether it be PowerShell, CMD, Git Bash, or any
configured shell you use! It also provides configuration settings to define which commands and
operations are allowed to run.

CAUTION

Please note this is a community MCP server and not an
official Microsoft MCP Server. We encourage you to do your own research and testing before using
it.

AI Shell with MCP Server

Additional MCP servers:

Built-in Tools for AI Shell

This release introduces built-in tools that are now accessible to agents within AI Shell. These
commands are similar to MCP Server tools, but are exclusive to the AI Shell experience. These tools
are designed to enhance the AI Shell experience by providing context-aware capabilities and
automation features. They can be used in conjunction with the MCP servers to create a powerful
AI-driven shell environment.

Tool Name Description
get_working_directory Get the current working directory of the connected PowerShell session, including the provider name (e.g., FileSystem, Certificate) and the path (e.g., C:\, cert:\).
get_command_history Get up to 5 of the most recent commands executed in the connected PowerShell session.
get_terminal_content Get all output currently displayed in the terminal window of the connected PowerShell session.
get_environment_variables Get environment variables and their values from the connected PowerShell session. Values of potentially sensitive variables are redacted.
copy_text_to_clipboard Copy the provided text or code to the system clipboard, making it available for pasting elsewhere.
post_code_to_terminal Insert code into the prompt of the connected PowerShell session without executing it. The user can review and choose to run it manually by pressing Enter.
run_command_in_terminal This tool allows you to execute shell commands in a persistent PowerShell session, preserving environment variables, working directory, and other context across multiple commands.
get_command_output Get the output of a command previously started with run_command_in_terminal.

Note

The built-in tools rely on the side-car experience with a
connected PowerShell session and provide enhanced context awareness and automation capabilities.

Here is a simple demo showing how you can have AI Shell run commands on your behalf using the
run_command_in_terminal tool:

Run command in terminal tool

This example shows how additional context is provided to AI Shell to improve results:

Getting more context with built-in tools

You can also use the get_terminal_content tool to get the content from the connected terminal and
provide it to AI Shell to help it understand what you are trying to do:

Getting content from the screen ran before AI Shell starts to get assistance

Resolve-Error Command Improvements

Previously the Resolve-Error command was only able to run after an error occurred in the previous
command. Now, Resolve-Error identifies which command the user wants to troubleshoot:

  • If the last error’s command matches the most recent command in history, it’s assumed to be the one
    the user is interested in.
  • If the last error’s command isn’t the most recent and $LastErrorCode is null or zero, the error
    likely comes from an earlier command, not the very last one.
  • If $LastErrorCode is non-zero and $? is false, the last command was a failing native command.
  • If $LastErrorCode is non-zero but $? is true, it’s unclear which command or failure the user
    is focused on, so the agent analyzes the terminal content to determine the relevant context.

This logic allows AI Shell to better understand what the error the user is trying to resolve is
rather than requiring you to ask for AI’s help immediately after an error occurs.

Staying in your shell

The Invoke-AIShell and Resolve-Error commands allow you to stay in your working terminal to
interact with the AI Shell agent. To learn more about the parameters added, see the
previous blog post that details these features. For your convenience, these commands have
aliases that make them quicker to use.

Command Name Alias
Invoke-AIShell askai
Resolve-Error fixit

Fixing an error and utilizing fixit and askai commands

Conclusion

We hope that these enhancements make your experience with AI Shell more powerful! We are always
looking for feedback and suggestions, so please submit issues or feature requests in our
GitHub repository.

Thank you so much!

AI Shell Team

Steven Bucher & Dongbo Wang

The post Introducing MCP Support in AI Shell Preview 6 appeared first on PowerShell Team.

AWS

Introducing Amazon Elastic VMware Service for running VMware Cloud Foundation on AWS

Leave a comment
This post was originally published on this site

Today, we’re announcing the general availability of Amazon Elastic VMware Service (Amazon EVS), a new AWS service that lets you run VMware Cloud Foundation (VCF) environments directly within your Amazon Virtual Private Cloud (Amazon VPC). With Amazon EVS, you can deploy fully functional VCF environments in just hours using a guided workflow, while running your VMware workloads on qualified Amazon Elastic Compute Cloud (Amazon EC2) bare metal instances and seamlessly integrating with AWS services such as Amazon FSx for NetApp ONTAP.

Many organizations running VMware workloads on premises want to move to the cloud to benefit from improved scalability, reliability, and access to cloud services, but migrating these workloads often requires substantial changes to applications and infrastructure configurations. Amazon EVS lets customers continue using their existing VMware expertise and tools without having to re-architect applications or change established practices, thereby simplifying the migration process while providing access to AWS’s scale, reliability, and broad set of services.

With Amazon EVS, you can run VMware workloads directly in your Amazon VPC. This gives you full control over your environments while being on AWS infrastructure. You can extend your on-premises networks and migrate workloads without changing IP addresses or operational runbooks, reducing complexity and risk.

Key capabilities and features

Amazon EVS delivers a comprehensive set of capabilities designed to streamline your VMware workload migration and management experience. The service enables seamless workload migration without the need for replatforming or changing hypervisors, which means you can maintain your existing infrastructure investments while moving to AWS. Through an intuitive, guided workflow on the AWS Management Console, you can efficiently provision and configure your EVS environments, significantly reducing the complexity to migrate your workloads to AWS.

With Amazon EVS, you can deploy a fully functional VCF environment running on AWS in a few hours. This process eliminates many of the manual steps and potential configuration errors that often occur during traditional deployments. Furthermore, with Amazon EVS you can optimize your virtualization stack on AWS. Given the VCF environment runs inside your VPC, you have full full administrative access to the environment and the associated management appliances. You also have the ability to integrate third-party solutions, from external storage such as Amazon FSx for NetApp ONTAP or Pure Cloud Block Store or backup solutions such as Veeam Backup and Replication.

The service also gives you the ability to self-manage or work with AWS Partners to build, manage, and operate your environments. This provides you with flexibility to match your approach with your overall goals.

Setting up a new VCF environment

Organizations can streamline their setup process by ensuring they have all the necessary pre-requisites in place ahead of creating a new VCF environment. These prerequisites include having an active AWS account, configuring the appropriate AWS Identity and Access Management (IAM) permissions, and setting up a Amazon VPC with sufficient CIDR space and two Route Server endpoints, with each endpoint having its own peer. Additionally, customers will need to have their VMware Cloud Foundation license keys ready, secure Amazon EC2 capacity reservations specifically for i4i.metal instances, and prepare their VLAN subnet information planning.

To help ensure a smooth deployment process, we’ve provided a Getting started hub, which you can access from the EVS homepage as well as a comprehensive guide in our documentation. By following these preparation steps, you can avoid potential setup delays and ensure a successful environment creation.

Screenshots of EVS onboarding

Let’s walk through the process of setting up a new VCF environment using Amazon EVS.

Screenshots of EVS onboarding

You will need to provide your Site ID, which is allocated by Broadcom when purchasing VCF licenses, along with your license keys. To ensure a successful initial deployment, you should verify you have sufficient licensing coverage for a minimum of 256 cores. This translates to at least four i4i.metal instances, with each instance providing 64 physical cores.

This licensing requirement helps you maintain optimal performance and ensures your environment meets the necessary infrastructure specifications. By confirming these requirements upfront, you can avoid potential deployment delays and ensure a smooth setup process.

Screenshots of EVS onboarding

Once you have provided all the required details, you will be prompted to specify your host details. These are the underlying Amazon EC2 instances that your VCF environment will get deployed in.

Screenshots of EVS onboarding

Once you have filled out details for each of your host instances, you will need to configure your networking and management appliance DNS details. For further information on how to create a new VCF environment on Amazon EVS, follow the documentation here.

Screenshots of EVS onboarding

After you have created your VCF environment, you will be able to look over all of the host and configuration details through the AWS Console.

Additional things to know

Amazon EVS currently supports VCF version 5.2.1 and runs on i4i.metal instances. Future releases will expand VCF versions, licensing options, and more instance type support to provide even more flexibility for your deployments.

Amazon EVS provides flexible storage options. Your Amazon EVS local Instance storage is powered by VMware’s vSAN solution, which pools local disks across multiple ESXi hosts into a single distributed datastore. To scale your storage, you can leverage external Network File System (NFS) or iSCSI-based storage solutions. For example, Amazon FSx for NetApp ONTAP is particularly well-suited for use as an NFS datastore or shared block storage over iSCSI.

Additionally, Amazon EVS makes connecting your on-premises environments to AWS simple. You can connect from on-premises vSphere environment into Amazon EVS using a Direct Connect connection or a VPN that terminates into a transit gateway. Amazon EVS also manages the underlying connectivity from your VLAN subnets into your VMs.

AWS provides comprehensive support for all AWS services deployed by Amazon EVS, handling direct customer support while engaging with Broadcom for advanced support needs. Customers must maintain AWS Business Support on accounts running the service.

Availability and pricing

Amazon EVS is now generally available in US East (N. Virginia), US East (Ohio), US West (Oregon), Europe (Frankfurt), Europe (Ireland), and Asia Pacific (Tokyo) AWS Regions, with additional Regions coming soon. Pricing is based on the Amazon EC2 instances and AWS resources you use, with no minimum fees or upfront commitments.

To learn more, visit the Amazon EVS product page.

AWS

AWS Weekly Roundup: Amazon DocumentDB, AWS Lambda, Amazon EC2, and more (August 4, 2025)

Leave a comment
This post was originally published on this site

This week brings an array of innovations spanning from generative AI capabilities to enhancements of foundational services. Whether you’re building AI-powered applications, managing databases, or optimizing your cloud infrastructure, these updates help build more advanced, robust, and flexible applications.

Last week’s launches
Here are the launches that got my attention this week:

Additional updates
Here are some additional projects, blog posts, and news items that I found interesting:

Upcoming AWS events
Check your calendars so that you can sign up for these upcoming events:

AWS re:Invent 2025 (December 1-5, 2025, Las Vegas) — AWS’s flagship annual conference offering collaborative innovation through peer-to-peer learning, expert-led discussions, and invaluable networking opportunities.

AWS Summits — Join free online and in-person events that bring the cloud computing community together to connect, collaborate, and learn about AWS. Register in your nearest city: Mexico City (August 6) and Jakarta (August 7).

AWS Community Days — Join community-led conferences that feature technical discussions, workshops, and hands-on labs led by expert AWS users and industry leaders from around the world: Australia (August 15), Adria (September 5), Baltic (September 10), and Aotearoa (September 18).

Join the AWS Builder Center to learn, build, and connect with builders in the AWS community. Browse here upcoming in-person and virtual developer-focused events.

That’s all for this week. Check back next Monday for another Weekly Roundup!

Danilo