Top 10 Most Popular Knowledge Articles for VMware Cloud for April, 2023   

This post was originally published on this site

Tweet Get answers and solutions instantly by using VMware’s Knowledge Base (KB) articles to solve known issues. Whether you’re looking to improve your productivity, troubleshoot common issues, or simply learn something new, these most used and most viewed knowledge articles are a great place to start.   Here are the top 5 most viewed KB articles … Continued

The post Top 10 Most Popular Knowledge Articles for VMware Cloud for April<strong>, </strong>2023    appeared first on VMware Support Insider.

Support Requests: How to Prepare For An Upgrade

This post was originally published on this site

Tweet One other thing my customers ask me, and I want to share with you today: How to size a maintenance window and map out the segments.  Part 1: Sizing In the sci-fi series Star Trek, Montgomery Scott is the chief engineer on the Enterprise.  When Captain Kirk and Mr. Spock are away, Scotty is … Continued

The post Support Requests: How to Prepare For An Upgrade appeared first on VMware Support Insider.

Top 10 Most Popular Knowledge Articles for ESXi, VCenter, Automation Operations, vCF, and vCD for April, 2023   

This post was originally published on this site

Tweet Get answers and solutions instantly by using VMware’s Knowledge Base (KB) articles to solve known issues. Whether you’re looking to improve your productivity, troubleshoot common issues, or simply learn something new, these most used and most viewed knowledge articles are a great place to start.   Here are the top 5 most viewed KB articles … Continued

The post Top 10 Most Popular Knowledge Articles for ESXi, VCenter, Automation Operations, vCF, and vCD for April<strong>, </strong>2023    appeared first on VMware Support Insider.

VMware Skyline Advisor Pro Proactive Findings – April 2023 Edition

This post was originally published on this site

Tweet VMware Skyline Advisor Pro releases new proactive Findings every month. Findings are prioritized by trending issues in VMware Technical Support, issues raised through post escalation review, security vulnerabilities, issues raised from VMware engineering, and nominated by customers. For the month of April, we released 45 new Findings. Of these, there are 34 Findings based … Continued

The post <strong>VMware Skyline Advisor Pro Proactive Findings – April 2023 Edition</strong> appeared first on VMware Support Insider.

APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers

This post was originally published on this site

APT28 accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742.

Overview and Context

The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) are releasing this joint advisory to provide details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of Cisco routers in 2021.

We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor.

Download the UK PDF version of this report:

Download the US PDF version of this report:

Previous Activity

The NCSC has previously attributed the following activity to APT28:

For more information on APT28 activity, see the advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.

As of 2021, APT28 has been observed using commercially available code repositories, and post-exploit frameworks such as Empire. This included the use of PowerShell Empire, in addition to Python versions of Empire.

Reconnaissance

Use of SNMP Protocol to Access Routers

In 2021, APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide. This included a small number based in Europe, US government institutions and approximately 250 Ukrainian victims.

SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be misused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network.

A number of software tools can scan the entire network using SNMP, meaning that poor configuration such as using default or easy-to-guess community strings, can make a network susceptible to attacks.

Weak SNMP community strings, including the default “public,” allowed APT28 to gain access to router information. APT28 sent additional SNMP commands to enumerate router interfaces. [T1078.001]

The compromized routers were configured to accept SNMP v2 requests. SNMP v2 doesn’t support encryption and so all data, including community strings, is sent unencrypted.

Exploitation of CVE-2017-6742

APT28 exploited the vulnerability CVE-2017-6742 (Cisco Bug ID: CSCve54313) [T1190]. This vulnerability was first announced by Cisco on 29 June 2017, and patched software was made available. 

Cisco’s published advisory provided workarounds, such as limiting access to SNMP from trusted hosts only, or by disabling a number of SNMP Management Information bases (MIBs).

Malware Deployment

For some of the targeted devices, APT28 actors used an SNMP exploit to deploy malware, as detailed in the NCSC’s Jaguar Tooth Malware Analysis Report. This malware obtained further device information, which is exfiltrated over trivial file transfer protocol (TFTP), and enabled unauthenticated access via a backdoor.

The actor obtained this device information by executing a number of Command Line Interface (CLI) commands via the malware. It includes discovery of other devices on the network by querying the Address Resolution Protocol (ARP) table to obtain MAC addresses. [T1590]

Indicators of Compromise (IoCs)

Please refer to the accompanying Malware Analysis Report for indicators of compromise which may help to detect this activity.

MITRE ATT&CK®

This advisory has been compiled with respect to the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

For detailed TTPs, see the Malware Analysis Report.

Tactic

ID

Technique

Procedure

Initial Access

T1190

Exploit Public-facing Application.

APT28 exploited default/well-known community strings in SNMP as outlined in CVE-2017-6742 (Cisco Bug ID: CSCve54313).

Initial Access

T1078.001

Valid Accounts: Default Accounts.

Actors accessed victim routers by using default community strings such as “public.”

Reconnaissance

T1590

Gather Victim Network Information

Access was gained to perform reconnaissance on victim devices. Further detail of how this was achieved in available in the MITRE ATT&CK section of the Jaguar Tooth MAR.

Conclusion

APT28 has been known to access vulnerable routers by using default and weak SNMP community strings, and by exploiting CVE-2017-6742 (Cisco Bug ID: CSCve54313) as published by Cisco.

TTPs in this advisory may still be used against vulnerable Cisco devices. Organizations are advised to follow the mitigation advice in this advisory to defend against this activity.

Reporting

UK organizations should report any suspected compromises to the NCSC.
US organisations should contact CISA’s 24/7 Operations Centre at report@cisa.gov or (888) 282-0870.

Mitigation

Mitigation

  • Patch devices as advised by Cisco. The NCSC also has general guidance on managing updates and keeping software up to date.
  • Do not use SNMP if you are not required to configure or manage devices remotely to prevent unauthorized users from accessing your router.
    • If you are required to manage routers remotely, establish allow and deny lists for SNMP messages to prevent unauthorized users from accessing your router.
  • Do not allow unencrypted (i.e., plaintext) management protocols, such as SNMP v2 and Telnet. Where encrypted protocols aren’t possible, you should carry out any management activities from outside the organization through an encrypted virtual private network (VPN), where both ends are mutually authenticated.
  • Enforce a strong password policy. Don’t reuse the same password for multiple devices. Each device should have a unique password. Where possible, avoid legacy password-based authentication and implement two-factor authentication based on public-private key.
  • Disable legacy unencrypted protocols such as Telnet and SNMP v1 or v2c. Where possible, use modern encrypted protocols such as SSH and SNMP v3. Harden the encryption protocols based on current best security practice. The NCSC strongly advises owners and operators to retire and replace legacy devices that can’t be configured to use SNMP v3.
  • Use logging tools to record commands executed on your network devices, such as TACACS+ and Syslog. Use these logs to immediately highlight suspicious events and keep a record of events to support an investigation if the device’s integrity is ever in question. See NCSC guidance on monitoring and logging.
  • If you suspect your router has been compromised:
    • Follow Cisco’s advice for verifying the Cisco IOS image.
    • Revoke all keys associated with that router. When replacing the router configuration be sure to create new keys rather than pasting from the old configuration.
    • Replace both the ROMMON and Cisco IOS image with an image that has been sourced directly from the Cisco website, in case third party and internal repositories have been compromised.
  • NSA’s Network Infrastructure guide provides some best practices for SNMP.
  • See also the Cisco IOS hardening guide and Cisco’s Jaguar Tooth blog.

This product is provided subject to this Notification and this Privacy & Use policy.

Support Requests: How to Read Release Notes

This post was originally published on this site

Tweet As previously mentioned, VMware Support might ask you to upgrade to the latest release to fix an issue. Statistically, most of the Support Requests received are issues previously seen. We use tools like VMware Skyline to proactively identify issues and remediate them before the issue turns into a problem for you, but most of … Continued

The post Support Requests: How to Read Release Notes appeared first on VMware Support Insider.

New Knowledge Articles for VMware Cloud on AWS in March, 2023 

This post was originally published on this site

Tweet Stay informed with the latest VMware Knowledge Base (KB) articles created in March. The articles address common issues such as high-frequency snapshot failures, Citrix Netscaler VPX loss of connection, and email notification configuration in VMware Cloud Disaster Recovery (VCDR). Each article provides an explanation of the cause and offers step-by-step guidance on how to … Continued

The post New Knowledge Articles for VMware Cloud on AWS in March, 2023  appeared first on VMware Support Insider.

New Knowledge Base Articles for VMware Cloud on AWS in March 2023.

This post was originally published on this site

Stay informed with the latest VMware Knowledge Base (KB) articles created in March. The articles address common issues such as high-frequency snapshot failures, Citrix Netscaler VPX loss of connection, and email notification configuration in VMware Cloud Disaster Recovery (VCDR). Each article provides an explanation of the cause and offers step-by-step guidance on how to resolve the issues. If you are a VMware customer, be sure to check out these valuable resources:

The post New Knowledge Base Articles for VMware Cloud on AWS in March 2023. appeared first on VMware Support Insider.

New Knowledge Articles for VMware Horizon, WorkspaceONE, End User Computing (EUC) , and Personal Desktop for March, 2023 

This post was originally published on this site

Tweet Attention VMware customers! There have been some new Knowledge Base (KB) articles created in March that you should be aware of.  This VMware knowledge article provides an update and recommendation for customers to transition to DNS based allow lists by April 17, 2023, to enhance the security of Workspace ONE UEM SaaS IP ranges.  … Continued

The post New Knowledge Articles for VMware Horizon, WorkspaceONE, End User Computing (EUC) , and Personal Desktop for March, 2023  appeared first on VMware Support Insider.

New VMware Skyline Collector 3.4 and Advisor Pro Release

This post was originally published on this site

Tweet VMware Aria Operations for Log Endpoint Discovery and Product Name Updates We’re pleased to announce new VMware Skyline Collector 3.4 and Advisor Pro releases with VMware Aria Operations for Logs (formerly vRealize Log Insight) endpoint discovery, product name updates and new proactive Findings. If you have Auto Upgrade enabled, your Skyline Collector will automatically update.      A summary of the new … Continued

The post New VMware Skyline Collector 3.4 and Advisor Pro Release appeared first on VMware Support Insider.