The post Enhance flexibility in your Microsoft Teams Rooms with ClickShare Automatic Switching appeared first on My TechDecisions.

The Windows announcements came during Microsoft’s annual Build developer conference, during which the Redmond, Wash. tech giant made several key AI announcements, including Windows 11 Copilot.

Windows 365 Boot

Among the Windows 11 IT and management announcements, the preview of Windows 365 Boot was perhaps the most notable, as it gives Windows 11 Pro or Enterprise users the ability to log directly into their Windows 365 Cloud PC as the primary Windows experience on their device. Windows 365 Boot will take users to their Windows 11 login experience, and they will then be directly connected to their Windows 365 Cloud PC with no additional steps.

Microsoft bills this as a tool for shared devices as logging in with a unique user identity can take a user to their own personal and secure Windows experience.

To deploy Windows 365 Boot to endpoints via Microsoft Intune, IT administrators will first need to ensure that they have Windows 11-based endpoints (Windows 11 Pro and Enterprise), enrollment in the Windows Insider Program (Dev Channel), Intune Administrator rights and Windows 365 Cloud PC licenses.

This Tech Community blog includes more information on how to deploy Windows 365 Boot.

Privacy and security

Microsoft is releasing several other new features designed to make Windows 11 more secure, including the public preview of ability to isolate Win32 applications for both consumer and commercial users.

According to Microsoft, this gives developers the ability to reduce the risk of security breaches by running Win32 apps in isolation to help prevent apps from having unexpected or unauthorized access to critical internal Windows subsystems, thereby minimizing the damage of an app is compromised.

Microsoft also rehashed its Sign-in Session Token Protection Policy, which it first announced at Microsoft Secure in March, which allows applications and services to cryptographically bind security tokens on the device to restrict attackers’ ability to impersonate users on a different device after stealing tokens.

In addition, Microsoft announced account badging, starting in June, which will send users an alert to their Start menu when their account needs attention.

Other security and privacy tools now available include new app privacy settings that give users the ability to allow or block access to presence sensor information and enable or disable presence sensing features, as well as a glanceable VPN on the taskbar to give users quick access to their VPN status.

IT management

For simplified IT management, Microsoft is adding new cloud-powered capabilities to Windows 11 Enterprise designed to lower the cost of managing and securing Windows devices.

This starts with Universal Print secure release with QR code for Android delivering step-by-step process authentication, including the ability to securely release a print job only to the employee for which it’s intended. This is designed to help prevent leaks of confidential information.

Microsoft is also making it easier for IT teams to connect to hybrid workers with organizational messages. The company says this allows IT in Windows 11 Enterprise organizations to send company-branded messages from Microsoft Intune to users on various Windows surfaces, including the notification panel, above the taskbar and the Get Started app.

Although it was announced last month, Microsoft also reiterated the preview release of the ability to upgrade from Windows 10 to Windows 11 Enterprise via Windows Autopatch.

Read Microsoft’s blog to learn more about these announcements.

The post Microsoft Releases Windows 365 Boot Preview, Windows 11 IT Management Features appeared first on My TechDecisions.

The Build conference comes as Microsoft becomes fully invested in Copilot, AI and Windows 11, with much of the announcements spanning across those product categories.

Windows Copilot for Windows 11

Microsoft has already unveiled Microsoft 365 Copilot to help workers be more productive while using Microsoft’s productivity tools such as Word, PowerPoint, Outlook and more. Now, the company is launching Windows Copilot, available in preview next month, which Microsoft calls the first PC platform to provide centralized AI assistance for users.

This comes along with Bing Chat and first- and third-party plugins to help users create complex projects and collaborate more efficiently across multiple applications. Windows Copilot, essentially a virtual assistant, can be invoked from the taskbar and will stay consistent across apps, programs and windows, Microsoft says.

In a blog, Panos Panay, Microsoft’s chief product officer of Windows and devices, says Windows Copilot makes every user a power user.

“The things you love about Windows – copy/paste, Snap Assist, Snipping Tool, personalization – they are all right there for you, along with every other feature on the platform, and they only get better with Windows Copilot,” Panay writes. “For example, you can not only copy and paste, but also ask Windows Copilot to rewrite, summarize or explain your content.”

Similar to ChatGPT, Bing Chat and other chatbots driven by large language models (LLMs), Copilot can be asked a range of questions.

Since the tool was announced during the Build developer conference, Microsoft says Windows Copilot gives developers new ways to reach and innovate for shared customers.

“We welcome you to be part of the Windows Copilot journey by continuing to invest in Bing and ChatGPT plugins so your investments will carry forward to Windows Copilot,” Panay writes.

Bringing the new Bing to ChatGPT, plugins

Microsoft is also bringing its new Bing to ChatGPT to act as the default search experience, giving ChatGPT users access to Bing’s search engine which will be built-in to provide additional information from the web.

This makes ChatGPT answers grounded by search and web data, with citations. ChatGPT Plus subscribers will first get access, and it will be rolling out to free users “soon” by enabling a plugin with brings Bing to ChatGPT, Microsoft says.

Additionally, Microsoft and ChatGPT creators OpenAI are making it possible for developers to use one platform to build and submit plugins that work across both consumer and business surfaces, including ChatGPT, Bing, Dynamics 365 Copilot, Microsoft 365 Copilot, and Windows Copilot.

As part of the shared platform, Bing is adding to its support for plugins by adding several others to the Bing ecosystem.

With Microsoft launching Windows Copilot and essentially bringing Bing Chat to Windows 11 in a “more robust way,” Microsoft says Windows Copilot and Bing Chat enable those plugins to be enhanced through applications on Windows.

Microsoft says it is also natively integrating the common plugin platform into Microsoft Edge.

Microsoft Fabric

Also as part of Microsoft’s announcements is Microsoft Fabric, a new unified platform for analytics that includes data engineering, data integration, data warehousing, data science, real-time analytics, applied observability and business intelligence connected to a single data repository called OneLake, the company says.

According to Microsoft, Fabric enables customers of all technical levels to experience capabilities in a single, unified experience. It is infused with Azure OpenAI Service at every layer to help customers unlock the full potential of their data, enabling developers to leverage the power of generative AI to find insights in their data.

Fabric also incldues Copilot, allowing customers to use conversational language to create dataflows and pipelines, generate code and entire functions, build machine learning models or visualize results, Microsoft says.

Other developer tools

Microsoft also announced Hybrid AI loop to support AI development across platform, and across Azure to client with new silicon support from AMD, Intel, Nvidia and Qualcomm. This builds on Hybrid Loop, which Microsoft launched at last year’s Build conference to enable hybrid AI scenarios across Azure and client devices.

Microsoft also announced Dev Home, which it calls a new Windows 11 experience designed to help developers be more productive and streamline workflows. The preview is available in the Microsoft Store now.

Read Microsoft’s blog for the full list of new developer tools.

The post Microsoft Brings Copilot to Windows 11 appeared first on My TechDecisions.

IT admins with a Windows or Microsoft 365 tenant, a subscription with access to Windows release health in the Microsoft 365 admin center, and an eligible admin role will be able to access the feature.

As some updates can cause more issues than they fix and break certain functions, this helps give IT admins advanced warning about those issues so they can make informed decisions about pushing updates out in their organization.

How the Windows email alert feature works

When admins sign up, they’ll receive emails about new issues for the Windows versions they support, as well as updates to other issues, including changes in issue status, workarounds and issue resolution.

IT admins first need to log in to the Microsoft 365 admin center and locate Windows release health. If they don’t see this option or don’t have access to the admin center, they need to contact the organization’s global admin and request access and an admin role in the tenant, Microsoft says.

Windows release health in the Microsoft 365 admin center is available to those with an admin role for an organization/tenant with an eligible Windows or Microsoft 365 for Business subscription, Microsoft says in a blog.

How to enroll

Specifically, admins’ organization will need to have one of these subscriptions: Microsoft 365 Enterprise E3/A3/F3, Microsoft 365 Enterprise E5/A5, Windows 10 Enterprise E3/A3, Windows 10 Enterprise E5/A5, Windows 11 Enterprise E3/A3, or Windows 11 Enterprise E5/A5.

By default, the person who purchased the organization’s Microsoft business subscription is the global admin.

To subscribe to Windows release health emails, visit the Windows release health in the Microsoft 365 admin center and navigate to Preferences > Email and select Send me email notifications about Windows release heath.

From there, admins can enter up to two email addresses per admin account to receive notifications. Addresses can also include distribution lists so IT can keep colleagues informed of issues even if they don’t have access to the admin center.

Admins can also select which versions of Windows thy want to be notified about. However, if one known issue affects multiple versions of Windows, admins will only see one email.

The notification body will include the full content published about the issue in the Windows release health section of the Microsoft 365 admin center. Admins will see the status, versions affected, and links to view the message in the admin center.

When available, the text will include links to resources with additional information, along with associated KB articles that can address or resolve an issue.

The post Microsoft to Send Admins Email Alerts on Windows Update Issues appeared first on My TechDecisions.

It’s not surprising that Microsoft–along with many other security and tech vendors–used RSA Conference 2023 to focus heavily on its AI-enables security solutions, most notably Microsoft Security Copilot.

The company’s Security Copilot solution, announced in late March, is powered by OpenAI’s GPT-4 large language model that works by receiving a prompt from a security professional and leveraging the security-specific model to deploy skills and queries that maximize the value of the large language model’s capabilities.

The cybersecurity-trained model adds a learning system to create and tune new skills while helping catch what other approaches might miss and augmenting a security professional’s work. This makes Security Copilot designed to help in incident response, detect threats and strengthen security postures, Microsoft says.

However, Microsoft has since made several other security announcements, several of which were made during and shortly before RSA Conference 2023. While some of the company’s announcements didn’t specifically mention the annual cybersecurity conference hosted in San Francisco, we’re compiling all recent Microsoft security announcements to help paint a picture of where Microsoft is focusing its security efforts.

Microsoft Sentinel: Workspace Manager, Hunting

Microsoft made an explicit RSA Conference announcement of a few new things in Sentinel, its SIEM solution. The new features including Work Space Manager, a new capability designed to manage multiple workspaces at scale, as well as the upcoming Hunts capability for security operations to manage end-to-end hunting use cases.

Microsoft calls Sentinel’s Workspace Manager, now in public preview, a tool that enables large enterprises, MSSPs and MDRs to manage multiple Sentinel workspaces at scale from a central point. Workspace manager supports multi-tenant scenarios for customers with Azure Lighthouse enabled, the company says.

The tool allows organizations to organize workspaces together based on business groups, verticals, geography and more. They can be paired with a set or relevant content items like workbooks, analytics rules, automation rules and more. This builds on the workspace management capability for SAP, which is in public preview, the company says.

A new Hunts feature in Sentinel helps enable end-to-end hunting with Sentinel by allowing customers to keep track of new, active and closed hunts in one place, the company says. Analysts can proactively hunt based on specific MITRE techniques, potentially malicious activity, recent threats or their own defined hypothesis.

Users can collect evidence, investigate, annotate findings and share them with teams, Microsoft says.

In addition, Microsoft announced that all out-of-the-box (OOTB) content is available for on-demand installation in solutions or standalone content in content hub.

Defender Firewall for APIs

Microsoft announced the public preview of Defender for APIs, a new cloud-native application protection platform as part of Defender for Cloud. Through this new integration of Defender for APIs with Azure API Management, security teams can use the Defender for Cloud portal and machine-learning anomaly detection capabilities to gain visibility into business-critical Azure APIs, understand their security posture, prioritize vulnerability fixes and detect and quickly respond to active runtime threats.

According to Microsoft, within the Defender for Cloud portal, customers will have a new unified view of APIs published across all Azure API management services.

Defender for APIs enables security teams to access AIP gateway security controls against best practices in runtime and infrastructure-as-code templates, the company says. In addition, Defender for APIs provides threat detection capabilities to detect attacks against the top Open Worldwide Application Security Project (OWASP) API threats, including data exfiltration, volumetric attacks, and more.

App Governance add-on now included in Defender for Cloud Apps

Microsoft announced that the App Governance add-on will be included in Defender for Cloud Apps at no additional cost. Starting on June 1, new and existing customers will be able to start the opt-in process to begin using those capabilities, the company says.

Specifically, customers with a standalone, E5 Security or Microsoft 365 E5, or any other license with Defender for Cloud Apps, will have access to App Governance for free. For existing App Governance customers, depending on which channel they’ve purchased the licensing, Microsoft will either cancel the subscription or manage the queue accordingly once a ticket is received.

Customers will also get deeper OAuth app insights to help identify an app’s activities and the resources they access.

Microsoft Entra: Integrations, LAPS

In addition to shedding light on the many new Microsoft Entra integrations, Microsoft has released a public preview of Windows Local Administrator Password Solution (LAPS) for Azure AD, which is now part of Entra.

This makes Windows LAPS available to organizations for both Azure AD-joined and hybrid Azure AD-joined devices. LAPS is also now built into Windows with  10 20H2 and later, Windows 11 21H2 and later, and Windows Server 2019 and later using the most recent security update.

According to Microsoft, the preview allows IT professionals to:

• Enable Windows LAPS using a tenant-wide policy and a client-side policy to backup locl administrator password to Azure AD.
• Configure client-side policies via Microsoft Intune portal for local administrator password management to set account name, password age, length, complexity, manual password reset and so on.
• Recover stored passwords via Microsoft Entra/Microsoft Intune portal or Microsoft Graph API/PSH
• Enumerate all LAPS-enabled devices via Microsoft Entra portal or Microsoft Graph API/PSH.
• Create Azure AD role-based access control (RBAC) policies with custom roles and administrative units for authorization of password recovery.
• View audit logs via Microsoft Entra portal or Microsoft Graph API/PSH to monitor password update and retrieval events.
• Configure Conditional Access policies on directory roles that have the authorization of password recovery.

Intune: LAPS, Windows Defender Firewall

Speaking of LAPS, Microsoft also recently announced the ability to manage Windows LAPS through Microsoft Intune, it’s cloud-based endpoint management solution.

Admins can configure LAPS settings via a dedicated policy template in the Intune admin center and choose which directory to back up the password to. Admins can also select a specific device and have the option to view the local admin password for the selected device. They can also leverage Intune’s device action framework to rotate a local admin password outside of the schedule rotation interval.

However, Microsoft’s larger Intune announcement has to do with the Intune admin center to configure Windows Defender Firewall settings.

According to Microsoft, Windows Firewall not supports the use of Windows Defender Application Control (WDAC) Application ID (AppID) tags in firewall rules, enabling admins to scope firewall rules to an application or group of applications and rely on WDAC policies to define those applications.

The WDAC AppID functionality adds an administrator defined tag to the given process token. By using these tags, the Firewall Rules policy won’t need to rely on an absolute file path or use of a variable file path that can reduce the rule security, the company says.

Microsoft has also added two network list manager settings to the endpoint security Firewall policy which can be used to help determine when an Azure AD device is on on-premises domain subnets so firewall rules can properly apply.

In addition, Microsoft added a new setting to the Firewall Rules template “ICMP types and codes” that enables admins to configure inbound and outbound rules for ICMP as part of a firewall rule. Admins can manually enter the list of ICMP types and codes or choose to import and export a supported .csv file for easier management.

Also as part of the Intune announcement is the ability to configure firewall logging options in endpoint security Firewall policy, as well as the option for mobile broadband support in endpoint security firewall rules.

The post Microsoft’s Security Announcements Made During RSA Conference appeared first on My TechDecisions.

According to Microsoft, that version of Windows 10 will remain in support with monthly security update releases through Oct. 14, 2025 for all editions. Microsoft has been saying for some time now that it would support at least one version of Windows 10 through that date, but it not appears that Microsoft will put all of its support behind Windows 11 past that date.

That essentially means that organizations that continue to use Windows 10 past that date will not get security updates, leaving them open to potential cyberattacks. The previous Windows 10 release, version 21H2, will go out of support next year on June 11.

Existing LTSC releases will continue to receive updates beyond that date based on their specific lifecycles, the company says in a Windows client roadmap update. According to the company’s product and services lifecycle document, existing Windows 10 LTSC releases have end dates of Jan. 12, 2027 or later.

Read Next: How to Upgrade to Windows 11

Now, organizations essentially have two options for the immediate future:

• Upgrade to Windows 11 to keep operating systems up-to-date, secure, and equipped with new features.
• Update to Windows 10, version 20H2 to continue receiving monthly update releases through Oct. 14, 2025.

Microsoft is also announcing that the next Windows 11 LTSC releases will be available in the second half of 2024 for Windows 11 Enterprise and Windows 11 IoT Enterprise.

Organizations waiting for a Windows 11 LTSC release should begin planning and testing applications and hardware on the current generally available release, Windows 11 22H2, Microsoft says.

Microsoft rolled out Windows 10 22H2 in October 2022 along with several additional features for Windows 11 that weren’t included in the 2022 update, although the Windows 10 feature update was limited in scope and new features and functionality. That update came about a month after the company started to roll out the annual feature update for Windows 11, which included dozens of new features in security, efficiency, productivity, usability and more.

Windows 10 20H2, however, is the next version of the operating system slated for death, with an end-of-support date of May 9, less than two weeks away.

The post Windows 10, 22H2 is the Last Version of Windows 10, Microsoft Decrees appeared first on My TechDecisions.

However, those systems are typically located on Earth. Imagine trying to patch a system on an entirely different planet.

That’s apparently what NASA just did, sending a major software update more than 150 million miles away to the Curiosity rover designed to enable the wheeled robot to drive faster and reduce wear and tear on its wheels that it has endured for over a decade.

In addition, NASA made about 180 other changes in the update, which required Curiosity to essentially be shut down between April 3 and April 7, the space agency says in a press release. This is the equivalent of upgrading a Windows 10 device to Windows 11, albeit from a different planet.

While Microsoft, Google and other tech giants spend a considerable amount of time preparing updates and rolling them out, NASA took nine years to develop and send out this update to Curiosity, with the last update going back to 2016.

Other changes include making corrections to the messages the rover sent back to Earth and simplifications to computer code that had been altered by previous patches.

Software update to help navigate Mars terrain

According to NASA, Curiosity can now do more of what it calls “thinking while driving” – performing in a more advanced way to navigate around rocks and sand traps. This is something that NASA’s newest Mars rover, Perseverance, does to help navigate the Mars terrain. Perseverance constantly snaps pictures of the terrain ahead, processing them with a dedicated computer so it can autonomously navigate during one continuous drive.

However, Curiosity isn’t equipped with a dedicated computer for that purpose, instead driving in segments and stopping to process imagery of the terrain after each segment. That results in many stops and starts over the course of a long drive.

The update will help Curiosity process images faster and spend more time on the move, according to NASA.

A new algorithm to protect Curiosity’s wheels

To reduce the wear and tear on the rover’s aluminum wheels which have been showing signs of broke treads since 2013, NASA included in the update a new algorithm designed to improve traction and reduce wheel wear by adjusting the rover’s speed depending on the rocks it’s rolling over.

The update also includes two new mobility commands that reduce the amount of steering the rove needs to do while driving in an arc toward a specific waypoint, helping to further preserve the life of the wheels.

The software update will also help the human controllers on Earth plan the rover’s movements and will make future software updates easier to deploy, according to NASA.

IT admins pushing out a major patch or update may cross their fingers, but doing so across 150 million miles of space is a bit more nerve-wracking, says Jonathan Denison, the rover’s engineering operations team chief, in a statement.

“The idea of hitting the install button was a little scary,” Denison says. “Despite all our testing, we never know exactly what will happen until the software is up there.”

The post NASA’s Curiosity Software Update Makes Patch Tuesday Seem Like a Breeze appeared first on My TechDecisions.

According to Microsoft, security was a major driver in bringing Windows 11 to HoloLens 2, helping users of the mixed reality solution feel confident when building and deploying end-to-end solutions. The free upgrade to the newest operating system also includes continuous platform support, including monthly security servicing updates that reinforce the protection of sensitive information while improving app performance.

In addition to the security and support improvements, Microsoft is bringing developer tools including Microsoft Edge WebView2 control to HoloLens 2 via a preview. The company says this will give development teams the ability to embed web technologies such as HTML, CSS and JavaScript into their native applications.

To upgrade HoloLens 2 to Windows 11 for free, users can navigate to Settings>Update & Security>Check for Updates. Doing so will automatically trigger the system update. Microsoft notes that the upgrade is optional, and customers can continue using Windows 10 if they prefer.

Along with the release of Windows 11 on HoloLens 2, Microsoft is rolling out new features for Dynamics 365 Guides, including 3D annotations, custom security, industry compliance guidance and additional Microsoft Teams features in Guides.

The new annotation feature allows users to annotate anything around them within arm’s reach, and 3D drawings don’t need to be attached to a machine or surface, Microsoft says.

Microsoft’s new custom security feature in Dynamics 365 Guides, “Restricted Mode,” is designed to give organizations more control over mixed reality apps and the ability to enforce stricter access controls around systems and information deployed on HoloLens 2.

The company is also releasing new industry guidance for Dynamics 365 Guides for regulated industries that must comply with Good Practice (GxP) protocols. This includes refining industrial use cases on Guides to further address compliance, quality control, risk management and documentation.

Microsoft Teams is already integrated with Dynamics 365 Guides, but Microsoft is enhancing the experience with additional features such as the ability to goggle video on or off before a call and performance improvements.

Read this Windows blog or this Tech Community blog for more information.

The post Windows 11, New Features Coming to HoloLens 2 appeared first on My TechDecisions.

The San Francisco-based company bills the mobile device management (MDM) solution as more accessible and cost-effective, but also scalable and customizable for the specific needs of an organization without having to pay additional fees.

According to FleetDM, the MDM solution has out-of-the-box support for macOS, Windows, Linux and ChromeOS, and it can be configured to share data across teams and can be integrated with third-party platforms and DevOps processes via a REST API. That allows IT engineers and admins to run queries, access data and customize application development and delivery processes.

In addition, FleetDM’s new solution provides bidirectional transparency so end users have visibility into what is being monitored to help establish employee trust.

The company says the GitOps-driven consensus model enables close collaboration among security, developer and operations teams while ensuring a secure roll out of dedicated write operations.

The Fleet MDM solution also features bring-your-own capabilities for scripting and packaging tools to enable IT to use the tools the regular tools to ensure organizational requirements are met.

A closed-loop feedback on deployments means IT never needs to worry about whether the configuration made it to the machine, the company says.

According to FleetDM, an intuitive dashboard features one-click visibility and control, enabling IT to  manage devices from any location or platform. It enables automatic enrollment of new employees with Okta or any identity provider, IT management of software updates and patching with any software manager (Puppet, Munki, Chef, etc.), disk encryption (for macOS) using Apple FileVault, remote locks and wipes and includes all of the CIS critical security controls for Mac and Windows.

The company also says the solution supports multiple user accounts and in-depth activity auditing so teams can share data across different departments without security risks or privacy concerns.

In a statement, FleetDM co-founder and CTO Zach Wasserman says Fleet is built for programmatic automation, and automating audit logs with third-party platforms like Splunk becomes easier with Fleet.

“In addition, other platforms let you push updates to computers and turn on disk encryption, but if you want to see whether it actually worked you can’t – there’s no feedback mechanism for that and no way to see what’s actually happening,” Wasserman says. “With Fleet, you can say, ‘Turn on FileVault,’ and then run a query that says ‘how many computers have FileVault turned on?’ and you’ll see that it was 100% successful.”

According to the company, Fleet is based on the open source project osquery, co-developed in 2014 by Wasserman, then working at Meta. Wasserman co-founded Kolide in 2016 and created Fleet, an open source platform that made it easier for enterprises to use osquery. The Fleet community took over maintenance of the open source project in 2019, with Wasserman serving as lead maintainer. Wasserman partnered with FleetDM CEO Mike McNeil in 2020, announcing the transition to a stand-alone entity in November of that year.

In a statement, McNeil says Fleet is built for results and gives both security and IT teams the tools and features they need.

“We empathize with the leaders we speak to everyday who are stuck having to choose between out-of-the-box legacy MDMs or building their own on-top of a hodgepodge of unsupported open-source libraries,” McNeil says. “We built Fleet to bridge this chasm. We first built a battle-tested open-source platform that security teams trust, and then layered on top of it the configuration and APIs that IT teams want to see. We see the future of IT being unlocked by a devops mindset, and we aim to be at the forefront of that revolution.”

The post Fleet Launches Open-Source, Cross-Platform MDM Solution appeared first on My TechDecisions.

However, new research shows that some organizations are prioritizing defending against those trending, newsworthy threats at the expense of the threats actually facing their organization.

According to Mike DeNapoli, director of cybersecurity architecture at security posture management platform Cymulate, organizations are focusing on those headline-grabbing threats too often.

While staying current on new and emerging attack techniques is essential for any IT and security professional, organizations are doing so at the expense of the threats they are more likely to encounter on a daily basis, DeNapoli says.

Citing the company’s “2022 Cybersecurity Effectiveness Report,” DeNapoli says 40% of the exploits vulnerability managers are discovering are over two years old. New attacker tools and techniques such as AI-assisted polymorphic ransomware attacks should of course garner attention, but not at the expense of proven attack vectors.

“(Polymorphic ransomware) is not something we should be ignoring in any way, but at the same time, ProxyShell and ProxyNotShell vulnerabilities are still visible on Exchange Server,” DeNapoli says. “Attackers…are going to go for the low-hanging fruit when it’s available.”

What organizations are testing for vs. what is actually being exploited

According to Cymulate’s research, 40% of the top CVEs identified most by vulnerability management platforms were over two years old, and a significant number of organizations are not testing against more widely recognized threats such as those Exchange Server vulnerabilities and malware such as Emotet.

Other known vulnerabilities in organizations’ environments include poorly configured identity and access management and privileged access management, as well as reliance on legacy infrastructure.

However, the top 10 immediate threats simulated last year share many characteristics, including being carried out by known threat actors; using phishing, watering hole and supply chain attacks; using known attack tools; having a clear motive; and being highly sophisticated and evasive.

Another top characteristic is that they were all abundantly reported on in specialized and mainstream press.

According to Cymulate, the top 10 most tested threats include:

• Manjusaka: a cyber-attack framework of Chinese origin, likely created for criminal use, it includes Windows and Linux implants and a ready-made command and control server.
• Powerless Backdoor: a cyber threat popular among Iranian hackers, designed to avoid detection by PowerShell, and can download a browser info stealer, keylogger, encrypt and decrypt data, execute arbitrary commands, and kill processes.
• APT 41 targeting U.S. State Governments: a Chinese state-sponsored hacking group that has been targeting US state governments using various tools and techniques such as Acunetix, Nmap, and SQLmap, and attack methods like phishing, watering hole attacks, and supply-chain attacks.
• Lazarus Phishing Attack on DoD Industry: a phishing campaign carried out by the North Korean hacking group Lazarus, targeting job applicants in the US defense sector with malicious documents containing macros.
• Industroyer 2: An APT-style malware that specifically targets industrial control systems (ICS) and critical infrastructure. A spinoff of the 2016 attack on Ukraine power grid.
• Spring4Shell: Exploiting the Spring Framework vulnerability (CVE-2022-22965), it allows for remote code execution without authentication.
• Follina Office Attack: Weaponizing Microsoft vulnerability (CVE-2022-30190), it allows for remote code execution without authentication.
• Ransomexx: A ransomware-as-a-service (RaaS) model, financially motivated and believed to be related to the sprite Spider ransomware group based in Russia.
• Quantum Ransomware: One of the fastest cases of time-to-ransom ever observed with initial access to domain-wide ransomware in just 3 hours and 44 minutes. The initial access vector for this attack was an IcedID payload delivered via email.
• Mikubot: A new variant of bot malware that is being offered for sale in threat actor forums, written in C++ and works on Windows operating systems from Vista to Windows 11. The malware is standalone and is being sold for $1300 for 1.5 months of access or $2200 for a three-month subscription.

However, the company’s list of most detected vulnerabilities configured by vulnerability management tools includes bugs that keep making appearances in threat research, such as Exchange Server vulnerabilities, PrintNightmare, and others.

• CVE-2022-30190 – Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability. Used in Follina attacks.
• CVE-2021-34527 – A remote code execution (RCE) vulnerability that allows threat actors to remotely inject DLLs. Used in conjunction with CVE-2021-1675 in PrintNightmare attacks
• CVE-2013-3900 – A WinVerifyTrust signature validation vulnerability that allows remote attackers to execute arbitrary code via specially crafted portable executables by appending the malicious code snippet while still maintaining the validity of the file signature.
• CVE-2022-2190 – Microsoft HTTP protocol stack remote code execution vulnerability
• CVE-2021-1675 – Allows an attacker with low access privileges to use a malicious DLL file to escalate privilege. Used in conjunction with CVE-2021-34527 in PrintNightmare Attacks.
• CVE-2021-31956 – Windows NTFS Elevation of Privilege Vulnerability
• CVE-2018-0798 – A Microsoft Office memory corruption vulnerability that allows remote code execution due to the way objects are handled in memory.
• CVE-2018-0802 – A Microsoft Office memory corruption vulnerability that allows remote code execution due to the way objects are handled in memory.
• CVE-2017-11882 – A Microsoft Office memory corruption vulnerability that allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory.
• CVE-2022-3786 – A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the character (decimal 46) on the stack and cause a denial of service.

Assess your environment first

When IT and security professionals see these new attacks making headlines, they should first assess whether they have the vulnerable assets in their environment, and if they would be a target of the threat actor, if one was identified.

According to DeNapoli, that means getting a handle on shadow IT and cloud sprawl, which is admittedly difficult to do.

“But, it’s necessary, because if there is something like a Log4J, you don’t know what is running within the environment and it becomes incredibly difficult to determine if you could be attacked by that type of technique,” DeNapoli says. “Having those sort of catalogs or inventories of what’s there and what could be a target is going to help a lot.”

However, organizations should not be ignoring the things that came before, as threat actors have proven that leveraging old vulnerabilities–some of which are more than a decade old–is still successful.

The U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog is a prime example of this issue, as 481 of the 914 vulnerabilities on the list are from before 2020.

“Nation-state actors are using this backlog to successfully attack organizations,” DeNapoli says. “Always compare what’s coming out in the news to what you’ve got running to determine if this is something you should deal with immediately, or if it can be put on the backburner in favor of something much more likely to happen.”

The post Is Your Organization Testing Against the Right Cyber Threats? appeared first on My TechDecisions.