If you upgrade from 10.8.0 or earlier to 10.9.0 or above. You need to disable legacy URL reputation and Implement URL categorization policy.
Reference P3. to P4.
Monday, February 26, 2024
The NSFOCUS SAS-H which is hardware end of support and it is not support Edge. You need to use IE mode on Edge to access.
The NSFOCUS SAS-H which is hardware end of support and it is not support Edge. You need to use IE mode on Edge to access.
The new product OSMS have been released to replace the SAS-H
Reference:
https://www.techtarget.com/searchenterprisedesktop/tip/How-to-enable-Internet-Explorer-mode-on-Microsoft-Edge Using different proxy for individual broswering via broswer shortcut
Workaround solution:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -proxy-server="x.x.x.x:8080"
The same setting -proxy-server="Proxy IP:Proxy Port" also work for IE
Reference:
Sunday, February 25, 2024
Cannot visible the files and folder copy by robocopy (It is visible in old machine)
Run the command "ATTRIB -h -s -a d:\backups\c" to remove the hidden of the folder.
To prevent the backup folder being hidden by robocopy:
You can prevent the new directory from becoming hidden by adding the /A-:SH
Reference:
Full data backup from C Drive to external USB driver by using Robocopy
robocopy /s /z /xj /V /R:0 /W:0 /copy:DT C:\ D:\backups\c\
Reference:
https://pureinfotech.com/robocopy-recover-and-skip-files-with-errors-from-bad-hard-drive-in-windows/
Migrate Broadcom Symantec Messaging Gateway from physical to virtual appliance with different hostname and IP address
How to migrate Broadcom Symantec Messaging Gateway from physical to virtual appliance with different hostname and IP address?
The solution is backup in physical appliance by select Custom backup (https://knowledge.broadcom.com/external/article/180646/backup-and-restore-the-messaging-gateway.html) , do not select " Include log data" then the backup will able to restore to different hostname and IP address.
Saturday, February 24, 2024
Prepare for NTLM disable in your domain environment
Microsoft has made an announcement stating that the NTLM authentication protocol will be disabled in Windows 11. Instead, it will be replaced by Kerberos, which is currently the default authentication protocol in Windows versions above Windows 2000.
https://petri.com/microsoft-disable-ntlm-windows-11/
To prepare for this change is coming, you can enable a GPO to audit what application is using NTLM I n your environment and also what version of NTLM still using?
https://superuser.com/questions/1694421/how-can-i-find-out-what-is-using-ntlm-in-my-environment
https://4sysops.com/archives/auditing-and-restricting-ntlm-authentication-using-group-policy/
Thursday, February 22, 2024
SSL VPN and ZTNA solution requirement on client side control
| Solution Requirements |
| |
| Users experience resemble local office LAN access (F&P) |
| Local office LAN is city based |
| Connect from Internet or other non-corporate network |
| Solution Requirements |
| |
| ONLY applied on Company owned Laptops with Windows 10 or above, no Apple devices and Android devices |
| Always ON (Enforce VPN when network connected) |
| MS KB Posture Check and Antivirus Signature Check (Host Scan) |
| If the above host scan failed, isolated LAN with limited access will provided instead |
| Block any Internet connection when VPN is down |
| Supports Captive Portal Authentication (i.e. Hotel Customer Login) |
| MFA (Active Directory + Software Token + Cert Auth) |
| Detect Antivirus being stop after the VPN connection is established |
Failed to login SWIFT RMA port after Edge upgrade
Edge 120.0.2210.144 failed to login SWIFT RMA portal
Edge 115.0.1901.203 or below able to login RMA portal
Edge Favorites offline migration
Edge Favorites - copy from old machine and paste on new machine. If you open the Edge, you need to close the Edge and re-open it.
All the references of the bookmark file is in C:\Users\<Username>\AppData\Local\Microsoft\Edge\User Data\Default\Bookmarks
Hillstone storeID able to raise support case, download image, access free training, manual and document.
In the support portal, one important information is recommended versions.
User account portal: Hillstone User Center (hillstonenet.com)
Support Portal: Login - Hillstone (hillstonenet.com)
Tuesday, February 20, 2024
Outlook CVE-2024-21413 aka MonikerLink - Need to patch now
MS Security Update https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413
- For .msi install based - you can install standalone security patches to fix this vulnerability
- For O365/M365 user who is using click-to-run edition, assume you are domain joined machine, you need to deploy office GPO to enable auto update and run or deploy the command to run the whole office update. For example:
"C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe" /update user
Reference:
Migrating a Symantec Messaging Gateway Appliance to the Virtual Edition
Install the same version of the Virtual SMG in the supported virtual platform, use the same IP address and hostname of the physical Symantec Messaging Gateway Appliance.
For the detail step, please refer to the following:
https://knowledge.broadcom.com/external/article/158058/migrating-a-symantec-messaging-gateway-a.html
Cisco ASA SSL VPN Vulnerability - CVE-2023-20275
It is required to upgrade to Version 9.12(4)65 – 1/25/2024 or later or higher version with latest patches.
Reference:
https://www.cybersecurity-help.cz/vdb/SB2023120533 Sunday, February 18, 2024
Hong Kong Monetary Authority (HKMA) - Secure Tertiary Data Backup (STDB)
In 2021, in light of recent international developments such as the US Sheltered Harbor initiative to
address this type of cyber threats, the Hong Kong Monetary Authority (HKMA) has invited the Hong Kong
Association of Banks (HKAB) to develop guidelines on Secure Tertiary Data Backup (STDB) that are
appropriate for the banking landscape in Hong Kong. HKAB issued the STDB Guideline to banks in an effort to counter the growing risks of potentially catastrophic cyberattacks.
In 2023, HKMA Made significant inroad in implementing Secure Tertiary Data Backup (STDB) to
enhance recovery capabilities from ransomware attacks.
enhance recovery capabilities from ransomware attacks.
8 Principles:
- STDB Governance Model
- Identification of Critical Data
- Data Quality
- Critical Data Lifecycle Management
- Data Extraction and Ingestion
- Secure Repository
- Restoration Planning
- Restoration Validation Process and Drills
9 Characteristics:
- Immutable
- Survivable
- Air-gapped
- Secure
- Controlled
- Verifiable
- Assurance
- Heterogeneous
- High-performance
Reference:
8 Principle-based Guidelines of STDB
9 Characterises of STDB
US Sheltered Harbor
Tencent Cloud using 3rd parties firewall for Internet edge firewall solution - Fortinet
Instead of using Tencent Cloud Firewall Service - Internet Edge Firewall, Fortinet Firewall can use for Internet edge firewall solution.
Reference:
FortiGate基于腾讯云平台部署文档
Tencent Cloud using 3rd parties firewall to between VPC firewall solution - Hillstone
Instead of using Palo Alto (PA) Firewall, Hillstone Firewall can use in between VPC to form VPN tunnel to encrypt traffic between VPC and also as a security control point.
Reference:
腾讯云部署云界5.5R9P6版本验证案例
Thursday, February 15, 2024
Four MS CVE need to respond and three of them CVE-2024-21412 (CVSS score 8.1) CVE-2024-21351 (CVSS score 7.6) CVE-2024-21410 (CVSS score 9.8) are being ACTIVELY EXPLOITED 0-DAYS vulnerabilities
- CVE-2024-21412 (CVSS score 8.1) and CVE-2024-21351 (CVSS score 7.6) are being ACTIVELY EXPLOITED 0-DAYS vulnerabilities
- CVE-2024-21412 also being exploited by malware.
- Outlook user need to patch the CVE-2024-21413
- Exchange Server CVE-2024-21410 CVE-2024-21410 (CVSS score 9.8)
Bad IP need to block: [IP ADDRESSES] 84[.]32[.]189[.]74 179[.]43[.]172[.]127 179[.]43[.]172[.]191 64[.]31[.]63[.]70 64[.]31[.]63[.]194
IOC:
Reference:
Wednesday, February 14, 2024
End Of General Availability of the Free vSphere Hypervisor (ESXi 7.x and 8.x) (2107518) - Alternative solution
VMware vSphere Hypervisor (free edition) is no longer available on the VMware website
Alternative solutions:
- Smart-X HCI (ELF) https://www.smartx.com/global/community/
OpenGFW is a flexible, easy-to-use, open source implementation of GFW on Linux - Github
The solution installation manual:
The Openwrt routers:
You can find a router which is support Openwrt, then install OpenGFW on it. Since the OpenGFW is early development stage, use it carefully.
Reference:
Friday, February 9, 2024
FG-IR-24-029 (Affected version: 7.x) (CVE-2024-23113) - (CVSS 9.8) - Fortinet Fortigate
FG-IR-24-029: FortiOS - Format String Bug in fgfmdA use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a remote unauthentified attacker to execute arbitrary code or commands via specially crafted requests.
Solution reference Link: https://www.fortiguard.com/psirt/FG-IR-24-029
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool
This one need to patch ASAP if your firewall is Internet facing and also running on 7.x
Workarounds:
For each interface, remove the fgfm access,
for example change :
config system interface
edit "portX"
set allowaccess ping https ssh fgfm
next
end
to :
config system interface
edit "portX"
set allowaccess ping https ssh
next
end
Note that this will prevent FortiGate discovery from FortiManager. Connections from the FortiGate will still work.
Please also note that a local-in policy that only allows FGFM connections from a specific IP will reduce the attack surface but it won't prevent the vulnerability from being exploited from this IP. As a consequence, this should be used as a mitigation and not as a complete workaround.
Reference:
FG-IR-24-015 (CVE-2024-21762) (CVSS 9.6) - Fortinet Fortigate firewall
Product Security Incident Response Team (PSIRT) advisory regarding our FortiOS.
FG-IR-24-015: FortiOS - Out-of-bound Write in sslvpnd An out-of-bounds write vulnerability (CWE-787) in FortiOS could potentially allow a remote unauthenticated attacker to execute arbitrary code or commands through specially crafted HTTP requests.
Solution reference Link: https://www.fortiguard.com/psirt/FG-IR-24-015
Workaround: Disable SSLVPN: https://community.fortinet.com/t5/FortiGate/Technical-Tip-nbsp-How-to-disable-SSL-VPN-functionality-on/ta-p/230801
And also, the local in policy to enhance the SSL security should be considered:
Config firewall local-in-policy
Edit 4
Set intf "portx" (x is the port number for Public Internet)
Set srcaddr "trusted source IP"
Ste dstaddr "all"
Set action accept
Set service "SSLVPN_10443"
Set schedule "always"
Set status enable
Next
Edit 3
Set intf "portx" (x is the port number for Public Internet)
Set srcaddr "all"
Set dstaddr "all"
Set service "SSLVPN_10443"
Set action deny
Set schedule "always"
Set status enable
Next
end
There are several SSL VPN enhancements consideration:
For long term, you should plan for replace your SSL VPN to ZTNA:
Reference: