2024-12-13 - Version 2

Rockstar 2FA: Compromising Microsoft 365 Accounts-What MSPs and Small Businesses Need to Know

Key Takeaways

Sophisticated Phishing-as-a-Service Model: Rockstar 2FA uses advanced adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication (MFA) protections in Microsoft 365.
Small Businesses Are Prime Targets: Limited resources and cybersecurity awareness make small and medium-sized businesses especially vulnerable to such attacks.
MSPs Must Evolve Defense Strategies: The role of Managed Service Providers (MSPs) in combating advanced threats is more critical than ever, requiring proactive tools, training, and incident response.

The Threat Landscape: What Is Rockstar 2FA?

A recent discovery has exposed a new iteration of Phishing-as-a-Service (PhaaS) platforms called Rockstar 2FA. This campaign focuses on stealing credentials from Microsoft 365 (M365) by bypassing MFA protections through adversary-in-the-middle (AiTM) techniques. The platform is a subscription-based service marketed to cybercriminals across forums like Telegram and Mail.ru, offering advanced features such as:

Session cookie harvesting to hijack active user sessions
Customizable phishing templates mimicking trusted services
Antibot features to avoid automated detection systems
Randomized source code and links to evade detection and FUD attachments

Rockstar 2FA capitalizes on user trust in services like Microsoft 365, posing a significant risk for organizations that rely on this platform for communication and collaboration. Its accessibility to attackers, regardless of technical expertise, makes it a widespread and pressing concern.

For more technical details, see the analysis by Trustwave: Rockstar 2FA PhaaS Campaign.

How the Attack Works

At the heart of the Rockstar 2FA campaign is its adversary-in-the-middle (AiTM) technique. Here’s how the attack unfolds:

Phishing Email: The Attacker is sending an email using the templates of the Rockstar platform, such as: Document and file-sharing notifications, MFA lures, E-signature platform-themed messages and more. The campaign executed through several email delivery mechanisms, like compromised accounts, to conceal oneself behind a credible source and contain FUD links and attachments to bypass antispam detections.
Antibot: Upon being redirected to the landing page, the user will encounter a Cloudflare Turnstile challenge – a free service that protects websites from bots. Threat actors now exploit to avoid automated analysis of their phishing pages.
The AiTM Server: The server functions as both the phishing landing page, the credentials housing server and the proxy server. The phishing page mimics the brand’s sign-in page despite obfuscated HTML, forwarding those credentials to the legitimate service to complete the authentication process and then sending user data directly to the AiTM server to extract credentials and retrieve the target account’s session cookie.
Credential and Cookie Theft: When the victim enters their login credentials and MFA code, the proxy server captures both, along with session cookies.
Session Hijacking: Using these session cookies, attackers can access the victim’s account without needing to allow MFA repeatedly.

This approach is particularly effective because it nullifies MFA protections, which are traditionally seen as a critical safeguard against unauthorized access.

The Impact on Small Businesses Using Microsoft 365

Small businesses are a favorite target for phishing campaigns due to limited cybersecurity resources and expertise. For organizations heavily reliant on M365 for day-to-day operations, the risks include:

Data Breaches: Unauthorized access to sensitive files, emails, and client information stored in M365.
Business Disruption: Compromised accounts can lead to halted operations, delayed projects, or worse, ransomware incidents.
Business Email Compromise (BEC) is a sophisticated type of phishing attack where cybercriminals impersonate trusted executives, employees, or business partners to deceive victims into transferring funds or sharing sensitive information. BEC often involves carefully crafted emails that exploit human trust, bypassing technical defenses and resulting in significant financial and reputational damage for organizations.
Financial Loss: Whether through direct theft, fraudulent transactions, or fines related to non-compliance with data protection regulations.

The Rockstar 2FA campaign also leverages trusted platforms like Atlassian Confluence, Google Docs, Microsoft OneDrive and OneNote- to host malicious links, making phishing emails harder to identify.

The Critical Role of MSPs in Defending Against Rockstar 2FA and Similar Threats

Managed Service Providers (MSPs) have become indispensable for small and medium-sized enterprises (SMEs) navigating today’s complex cybersecurity landscape. As Rockstar 2FA highlights, phishing campaigns are becoming more advanced, leveraging tools and tactics that were once the domain of highly skilled hackers. In this context, MSPs play a multifaceted role, acting not just as service providers but as strategic partners in securing their clients’ operations.

1. Proactive Threat Prevention

MSPs must focus on preventing threats before they reach their clients’ environments. This requires a blend of technical expertise, advanced tools, and constant vigilance.

Deploying Phishing Simulations:
MSPs can implement solutions like Guardz’s AI-powered phishing simulations to proactively test their clients’ susceptibility to phishing attempts. These simulations mirror real-world scenarios, helping organizations identify gaps in employee training and response.
- Example: Regular phishing drills can reveal if employees are consistently clicking on malicious links, allowing MSPs to intervene with targeted education.
Security Configuration Management:
Ensuring that Microsoft 365 environments are configured with best-practice security settings (e.g., disabling legacy authentication, enabling conditional access policies) reduces the attack surface significantly.

2. Real-Time Detection and Response

Phishing campaigns like Rockstar 2FA are designed to bypass traditional security mechanisms, making real-time detection critical.

Anomaly Monitoring:
MSPs should deploy tools that track login anomalies, such as sign-ins from unexpected locations or devices. Suspicious behavior can trigger alerts and automatic account lockdowns.
Continuous Security Operations:
Many MSPs now operate Security Operations Centers (SOCs) or leverage third-party providers to monitor client environments around the clock. For example, unusual activity within Microsoft 365—like mass file downloads—can indicate a compromised account and prompt immediate action.
Incident Response Planning:
When phishing attacks succeed, MSPs must act quickly to mitigate damage. An effective incident response plan includes:
- Revoking compromised session cookies and resetting credentials.
- Performing forensic analysis to understand how the breach occurred.
- Communicating transparently with the client about the incident and steps for recovery.

3. Employee Education and Cyber Hygiene

Phishing remains one of the most successful attack vectors because it targets human behavior. MSPs can turn this vulnerability into a strength by fostering a culture of cybersecurity awareness.

Tailored Cybersecurity Training:
MSPs should regularly provide training sessions for employees, focusing on real-world examples of phishing attempts. These sessions should cover:
- Identifying phishing red flags, such as mismatched URLs, urgent language, and unusual requests.
- Steps to verify sender legitimacy, such as calling the organization directly.
- The importance of not sharing credentials or MFA codes under any circumstances.
Phishing Resilience Programs:
A resilience program combines simulated phishing attacks, immediate feedback, and ongoing education. The goal is to transform employees from potential vulnerabilities into a critical line of defense.

4. Security Integration Across Platforms

Small businesses often rely on multiple cloud-based platforms beyond Microsoft 365, such as Google Workspace, Dropbox, and CRM systems. MSPs must ensure that security measures extend seamlessly across these platforms.

Unified Threat Management:
By integrating security tools across platforms, MSPs can create a centralized system for threat detection and response. This approach prevents attackers from exploiting gaps in security coverage.
Identity and Access Management (IAM):
Implementing IAM solutions ensures that access to sensitive data is restricted to authorized personnel. MSPs should use tools that enforce principles like least privilege and role-based access controls.

5. Guiding Clients Through a Changing Threat Landscape

Cyber threats evolve rapidly, and businesses often struggle to keep up. MSPs act as trusted advisors, helping their clients navigate these changes.

Regular Security Reviews:
Periodic reviews allow MSPs to assess their clients’ current security posture and recommend updates to address new threats, such as those posed by Rockstar 2FA.
Advising on Cybersecurity Investments:
MSPs can guide businesses on the most effective use of limited budgets, prioritizing solutions that deliver the highest return on investment. For instance:
- Encouraging investment in tools like phishing simulations to prevent human errors.
- Recommending endpoint detection and response (EDR) solutions to protect against ransomware.
Cyber Insurance Advisory:
With threats like Rockstar 2FA on the rise, MSPs can assist clients in obtaining cyber insurance policies that cover phishing-related damages, complementing their technical defenses.

6. Building Trust Through Transparency

For many small businesses, trust is a key factor in selecting an MSP. Clients need to feel confident that their MSP is not only capable of defending against threats but also committed to their success.

Regular Reporting:
Providing clients with detailed reports on security incidents, training outcomes, and system health builds confidence and highlights the value of the MSP’s services.
Collaborative Incident Management:
When a breach occurs, clear and honest communication ensures clients understand the steps being taken to resolve the issue and prevent future occurrences.

Guardz’s Comprehensive Approach to Phishing Prevention

Guardz offers a robust suite of tools designed to combat phishing threats and enhance organizational resilience, making it an invaluable ally for MSPs and small businesses. By combining email security protection and AI-powered phishing simulations, Guardz provides both proactive and reactive defenses against campaigns like Rockstar 2FA.

1. Email Security Protection

Guardz’s email security solution is a critical first line of defense against phishing attacks. It actively scans and monitors incoming emails, detecting and blocking suspicious messages before they reach employees’ inboxes.

Key capabilities include:

Phishing Detection: Identifies malicious links, attachments, and spoofed sender addresses commonly used in phishing campaigns.
Real-Time Threat Analysis: Uses advanced algorithms to analyze email metadata and content for indicators of compromise (IoCs).
Automated Remediation: Flags and quarantines phishing emails, preventing users from interacting with potentially harmful content.

This layer of protection significantly reduces the likelihood of a phishing attack reaching employees, especially in environments with high email traffic like Microsoft 365.

2. Phishing Simulation Tool

Even with robust email protection, phishing attempts may occasionally bypass filters, relying on human error to succeed. Guardz addresses this vulnerability with its AI-powered phishing simulation tool, designed to enhance employee awareness and resilience.

How it Works:

Realistic Simulations: Guardz leverages AI to craft realistic phishing campaigns that mimic current threats, including tactics like AiTM attacks.
Customizable Scenarios: MSPs can tailor simulations to align with the specific challenges faced by their clients, making the training highly relevant.
Immediate Feedback: Employees receive instant feedback on their actions during simulations, turning mistakes into valuable learning opportunities.
Actionable Reporting: Detailed reports help organizations identify patterns in employee behavior and target areas for improvement.

By regularly running simulations, businesses can build a culture of vigilance, ensuring employees are prepared to recognize and report phishing attempts in real-world scenarios.

Lessons Learned: Protecting Against Sophisticated Phishing Attacks

For MSPs:

Stay Ahead of Threats: Regularly update clients about evolving phishing tactics like AiTM attacks to ensure they understand the risks.
Adopt Layered Security: Combine phishing simulations, endpoint protection, and continuous monitoring for a robust defense.
Empower Through Education: Provide ongoing training and resources to help employees identify and report phishing attempts effectively.

For Small Businesses:

Trust but Verify: Always verify suspicious emails, especially those requesting credentials or sensitive information.
Invest in Training: Regular phishing simulations can help employees stay alert and minimize errors.
Rely on Experts: Partnering with a knowledgeable MSP ensures access to advanced tools and expertise that may not be available in-house.

The Rockstar 2FA campaign highlights the growing sophistication of phishing attacks and the urgent need for advanced defenses. For MSPs and small businesses, proactive strategies, continuous education, and robust tools like Guardz’s phishing simulations are critical in staying secure.

About Guardz
Guardz is on a mission to create a safer digital world by empowering Managed Service Providers (MSPs). Their goal is to proactively secure and insure Small and Medium Enterprises (SMEs) against ever-evolving threats while simultaneously creating new revenue streams, all on one unified platform.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

2024 Guardz

Taming the Typhoons: How runZero Keeps You Ahead of State-Sponsored Cyber Threats

China’s state-sponsored cyber operations—aptly nicknamed with “Typhoon” monikers—have been brewing trouble for over a decade. From Violet to Salt Typhoon, these advanced persistent threat (APT) groups have been wreaking havoc on government entities, critical infrastructure, and other high-value targets. Their evolution highlights one thing loud and clear: attackers are always one step ahead, looking for the weakest link.

But fear not—there’s a way to outpace these storms. Let’s break down what these Typhoons have been up to and how runZero brings calm to the chaos with unparalleled visibility and proactive defense.

The Typhoon Timeline: An Evolution of Threats

The Typhoon story began with Violet Typhoon, which stuck to the basics: phishing, exploiting known vulnerabilities, and going after traditional IT systems. They were your typical “steal the sensitive data and run” kind of crew.

Then came Volt Typhoon, which shifted focus to U.S. critical infrastructure. They embraced “living off the land” techniques, cleverly blending into hybrid IT and OT environments while avoiding detection. Think of them as the first innovators of the Typhoons.

Not to be outdone, Flax Typhoon targeted IoT devices like cameras and DVRs, transforming these “unimportant” devices into powerful botnets. It was a wake-up call for organizations ignoring their IoT inventory.

And now, Salt Typhoon has arrived, skillfully exploiting IT, OT, and IoT systems with alarming precision. Their primary focus? Telecommunications providers and ISPs, where they leverage trusted devices and connections to steal customer call records, compromise private communications—particularly those of individuals involved in government or political activities—and access sensitive information tied to U.S. law enforcement requests under court orders.

Why Visibility is the Game-Changer

The Typhoon saga reveals one critical truth: attackers will find the blind spots in your network. Whether it’s a forgotten IoT device, an outdated VPN concentrator, or a misconfigured firewall, these gaps become open doors for adversaries.

That’s why visibility—complete visibility—is key to staying ahead. Enter runZero.

How runZero Helps You Outmaneuver Salt Typhoon

Salt Typhoon thrives on exploiting edge devices and blending into your network. But runZero makes their job infinitely harder. Here’s how we give you the upper hand:

Proactive Edge Discovery: With real-time scanning and unmatched fingerprinting capabilities, runZero identifies every device—routers, firewalls, switches—before attackers can. Firmware versions? Check. Misconfigurations? Double-check.
Mapping Internal Pathways: Once inside, attackers aim to move laterally. runZero lights up internal pathways, exposing high-risk devices and connections that could serve as stepping stones for adversaries.
Correlating Internal and External Risks: Unlike siloed tools, runZero connects the dots between internal and external assets, revealing shared vulnerabilities and dependencies. That’s insight no other platform offers.
Risk-Based Prioritization: runZero doesn’t just throw vulnerabilities at you. It ranks them by exploitability, exposure pathways, and criticality, so you can tackle the most pressing issues first.
Continuous Monitoring: Networks change constantly, and so do risks. With runZero’s continuous discovery, you’ll always have an up-to-date picture of your attack surface.

Actionable Insights for Real-World Defense

Need proof of what runZero can do? Let’s take CISA’s latest guidance tailored to counter Salt Typhoon’s tactics and the queries you can use in the runZero platform to identify assets at risk.

Strengthening Visibility: Monitoring: Network Engineers

If feasible, limit exposure of management traffic to the Internet. Only allow management via a limited and enforced network path, ideally only directly from dedicated administrative workstations. Do not manage devices from the internet. Only allow device management from trusted devices on trusted networks.

# Service Query
(type:router OR type:switch OR type:firewall) AND (port:80 OR port:443) AND has_public:true

Monitor user and service account logins for anomalies that could indicate potential malicious activity. Validate all accounts and disable inactive accounts to reduce the attack surface. Monitor logins occurring internally and externally from the management environment.

# Users Query
alive:t AND (
  isDisabled:true
OR
  (source:googleworkspace suspended:t)
OR
  (source:googleworkspace isEnforcedIn2Sv:f)
OR
  (has:accountExpiresTS)
OR
  (isDisabled:true)
OR
  (passwordExpired:true OR msDS-UserPasswordExpiryTimeComputedTS:<now))

Ensure the inventory of devices and firmware in the environment are up to date to enable effective visibility and monitoring. runZero can track and incorporate end-of-life data from a variety of sources.

# Asset Query
os_eol_expired:t

Monitoring: Network Engineers

Closely monitor all devices that accept external connections from outside the corporate network

# Asset Query
has_public:t

IPsec tunnel usage

# Service Query
protocol:ike

Hardening Systems & Devices: Protocols and Management Processes: Network Engineers

Additionally, as a general strategy, put devices with similar purposes in the same VLAN. For example, place all user workstations from a certain team in one VLAN, while putting another team with different functions in a separate VLAN. runZero’s innovative outlier score can help locate devices that don’t look like others in the same site.

# Asset Query
outlier:>=2

if using Simple Network Management Protocol (SNMP), ensure only SNMP v3 with encryption and authentication is used

# Service Query
protocol:snmp1 or protocol:snmp2 or protocol:snmp2c

Disable all unnecessary discovery protocols, such as Cisco Discovery Protocol (CDP).

# Service Query
protocol:cdp

Ensure Transport Layer Security (TLS) v1.3 is used on any TLS-capable protocols to secure data in transit over a network.

# Service Query
tls.supportedVersionNames:"SSL" OR tls.supportedVersionNames:"TLSv1.0" OR tls.supportedVersionNames:"TLSv1.1" OR tls.supportedVersionNames:"TLSv1.2"

Disable Secure Shell (SSH) version 1.

# Service Query
banner:"SSH-1"

Hardening Systems & Devices: Protocols and Management Processes: Network Defenders

Disable any unnecessary, unused, exploitable, or plaintext services and protocols, such as Telnet, File Transfer Protocol (FTP), Trivial FTP (TFTP), SSH v1, Hypertext Transfer Protocol (HTTP) servers, and SNMP v1/v2c

# Service Query
protocol:telnet OR protocol:ftp OR protocol:tftp OR banner:"SSH-1" OR (protocol:http AND NOT protocol:tls) OR protocol:snmp1 OR protocol:snmp2 OR protocol:snmp2c

Conduct port-scanning and scanning of known internet-facing infrastructure

# Service Query
has_public:t

The Final Word

The Typhoon threat is real, but with runZero, you don’t have to weather the storm alone. Whether you’re facing state-sponsored attackers like Salt Typhoon or just trying to get a handle on your sprawling network, runZero does more than uncover what’s hiding in your network—we redefine what’s possible in exposure management. Our agentless, credential-free approach means you get instant insights without the hassle. And our advanced fingerprinting technology? It’s second to none, giving you detailed device profiles that competitors can only dream of.

But it’s not just about tech; it’s about speed and adaptability. As networks grow more complex and threats more advanced, runZero ensures you’re always one step ahead of these Typhoons no matter how their tactics evolve. From shadow IT to unmanaged IoT, we uncover everything—because the very things you didn’t know existed are exactly what these attackers are looking for.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Digital

runZero 2024

Gone Phishing: Understanding Different Phishing Types and How to Protect Yourself

Phishing attacks have become an epidemic. Approximately 3.4 billion phishing emails are sent worldwide each day, making it the leading attack vector in 41% of all data breaches. And it’s not just e-mail—phishing has expanded to voice, text, social media, and even fake websites, targeting users across multiple platforms to steal sensitive information and compromise accounts.

The aim of a phishing scam is to steal your credentials, and it’s no wonder why—according to Verizon, 86% of data breaches in 2023 involved compromised credentials. And AI is making the various phishing schemes easier than ever – from improving the quality of the e-mails themselves and removing the tell-tale grammatical errors to using fake voices in vishing scams, the effectiveness of these scams is only increasing.

Below, we explore the different types of phishing and how they work, and then discuss how you can protect yourself from this ever-growing threat.

Classic Phishing Attacks

Classic phishing attacks typically involve deceitful emails designed to trick recipients into revealing personal information or clicking malicious links. These emails often mimic legitimate companies or organizations to gain the victim’s trust. Google intercepts around 100 million phishing emails daily, but that leaves quite a few still making it through. Telltale signs of a phishing e-mail are links that do not look right (perhaps a misspelled domain name like amazone.com or extra words like amazon.customersupport.com), some odd grammar choices, and a sense of urgency that seems out of place (“update info now or your account will be disabled!”)

SMShing (or Smishing)

“You won a $1,000 gift card!” “USPS cannot deliver your package, click here to update your address!” “Unusual activity detected on your bank account!” Chances are, you’ve gotten a text message like that, which is an attempt at SMShing, or phishing via SMS. Like e-mails, they often contain an unusual sense of urgency and some misplaced links, but the link shorteners commonly used in legitimate text messages make these harder to spot. Always go directly to the company’s website to confirm any messages asking you to do anything (and any US government entity like the USPS or IRS) is not going to communicate with you solely via text.

If you’re in the US, did you know you can forward SMShing messages to the FTC? Send to 7726 (AKA SPAM on your phone’s keypad) and it will help your wireless provider identify and block these messages in the future.

Vishing

Vishing (short for “voice phishing”) is a type of phishing attack that uses voice communication, typically phone calls, to deceive victims into revealing sensitive information, such as login credentials, financial details, or personal data. A very common one in the US purports to be from the IRS, threatening penalties and jail time due to back taxes. This one has been around for a while – a viral video from 2018 shows a police officer in Midland, Texas talking to a scammer who tells him to clear his back taxes by buying Apple gift cards or the police would be en route to arrest him within 45 minutes.

Spear Phishing

Spear phishing is a refined and highly targeted form of phishing that requires more effort and research from the attacker. Unlike general phishing, which casts a wide net hoping to snare any unsuspecting victim, spear phishing focuses on specific individuals or organizations. Attackers gather detailed information about their targets to create highly convincing messages that appear legitimate and relevant.

These attackers often utilize information from social media profiles, company websites, and other publicly available sources to customize their approach. The crafted messages may reference recent activities, personal interests, or professional responsibilities, making them difficult to distinguish from genuine communications. This personalization increases the chances of the victim being deceived.

For instance, an attacker targeting an executive might send an email that appears to be from a trusted colleague or business partner. The message might discuss a recent meeting or project, encouraging the recipient to click on a link or download an attachment. Once the victim takes the bait, they could unknowingly download malware or reveal sensitive information, potentially compromising the entire organization.

Spear phishing is not limited to email. Attackers may also use phone calls, social media messages, or even physical mail to carry out their schemes. Given the targeted nature of these attacks, they can have severe consequences, including data breaches, financial loss, and reputational damage.

Recognizing and defending against spear phishing requires a keen eye and a proactive approach. Employees should be trained to scrutinize unexpected communications, even if they seem to come from known contacts. Encourage staff to verify the legitimacy of suspicious messages by contacting the sender through a different, trusted method.

In addition to awareness training, employing technical defenses can help mitigate the risk of spear phishing. Advanced email filters, multi-factor authentication, and robust cybersecurity protocols add layers of protection. By combining vigilance with technological safeguards, individuals and organizations can better protect themselves against the sophisticated tactics of spear phishers.

Whaling

A whaling attack is a highly targeted phishing attack aimed at high-level executives, such as CEOs, CFOs, or other senior leaders within an organization. The goal is to deceive these individuals into sharing sensitive information, transferring funds, or granting access to confidential systems. Unlike the first two methods, these attacks are often carefully crafted to appear legit, banking on busy executives who may get careless with doing their due diligence. In addition to the usual compromised credentials, they might also target intellectual property or strategic competitive intelligence (but they’re not above wire fraud, either!)

Clone Phishing

Clone phishing is a type of phishing attack in which a legitimate email or message that the victim has previously received is copied (“cloned”) and slightly altered by an attacker. The goal is to trick the recipient into believing the new, fraudulent message is a genuine follow-up or update.

This might not seem different than regular phishing, but the key is that it’s coming from a trusted source. For instance, during the Okta breach, the targets were customers who had actually used Okta support recently. Since they might be expecting a message from Okta, the recipients might have understandably not been as vigilant as normal in spotting any irregularities.

Angler Phishing

Angler phishing is a type of social media phishing attack in which cybercriminals impersonate customer service accounts to deceive users into revealing sensitive information or downloading malware. The term “angler” comes from the way attackers “fish” for victims on social platforms. When you consider that messaging company accounts on Facebook and/or Twitter has become an established way to get better support than going through traditional channels like phone or e-mail, this type of attack targets users who are already frustrated (and thus perhaps more likely to be careless.)

Reducing Phishing Risks with Passwordless Login

Transitioning to passwordless certificate-based authentication is a promising strategy to counter phishing attacks. This method uses certificates for authentication, eliminating the need for passwords altogether. This means attackers cannot steal passwords through phishing, significantly reducing the risks of compromise.

In addition to a higher level of security, passwordless authentication simplifies the login process for users. Instead of remembering complex passwords, authentication is handled through the secure exchange of cryptographic keys, where a digital certificate issued by a trusted authority verifies the user’s identity. This enhances security and improves the user experience, making it more convenient and efficient.

Organizations adopting passwordless authentication can benefit from reduced helpdesk calls related to password resets and improved compliance with security policies. This transition also aligns with modern security standards and best practices, positioning organizations ahead of evolving cyber threats.

Embracing passwordless authentication can fortify your defenses against phishing and other cyberattacks, paving the way for a more secure and user-friendly digital environment.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

About Version 2 Digital

Network Portnox 2024

10 Scripts Every IT Admin Should Have in Their Toolbox

Here’s a list of the top 10 scripts every IT admin should have in their toolbox, categorized by their use cases to maximize efficiency, security, and system management.

1. Automated System Reboot Script

Purpose: Schedules and executes system reboots across servers or endpoints with minimal disruption.
Example: PowerShell or Bash script to reboot Windows/Linux machines in batches during off-hours.

Why It’s Essential: Ensures critical updates or changes requiring reboots are applied consistently without manual intervention.

2. User Account Management Script

Purpose: Automates the creation, modification, or deletion of user accounts in Active Directory (AD) or other systems.
Example: (1) PowerShell: Create new AD users in bulk from a CSV file. (2) Bash: Add or remove users in Linux environments.‍

Why It’s Essential: Saves hours of manual labor and ensures consistency in user access policies.

3. Hardware Inventory Script

Purpose: Collects detailed information about hardware components on endpoints or servers.
Example: A script that retrieves data on CPU, RAM, storage, and network adapters for auditing purposes.

Why It’s Essential: Provides a comprehensive view of hardware resources, aiding in capacity planning, troubleshooting, and ensuring compliance with organizational standards.

4. Disk Space Cleanup Script

Purpose: Identifies and clears unnecessary files to reclaim disk space.
Example: (1) PowerShell: Delete temp files, logs, or old backups on Windows servers. (2) Bash: Automate tmp folder cleanup on Linux systems.

Why It’s Essential: Prevents outages caused by full disks, especially on critical servers.

5. Security Audit Script

Purpose: Checks systems for common security misconfigurations or vulnerabilities.
Example: (1) PowerShell: Audit AD for weak passwords or unused accounts. (2) Bash: Scan open ports or outdated software using Nmap or Lynis.

Why It’s Essential: Helps proactively identify risks and stay compliant with security frameworks.

6. Network Connectivity Testing Script

Purpose: Diagnoses network issues by testing connectivity and logging results.
Example: Script to ping multiple servers, trace routes, and log results to a file.

Why It’s Essential: Quickly identifies network bottlenecks or outages, speeding up troubleshooting.

7. Firewall Management Script

Purpose: Automates vulnerability scans on systems or software.
Example: (1) PowerShell: Use Invoke-WebRequest to check for known CVEs in local software versions. (2) Bash: Scan Linux environments for misconfigured services or outdated packages.

Why It’s Essential: Ensures vulnerabilities are identified before attackers exploit them.

8. Application Deployment Script

Purpose: Automates the deployment of specific applications.
Example: (1) PowerShell: Deploy applications via MSI installers silently. (2) Bash: Use rpm or dpkg to install packages on Linux systems.

Why It’s Essential: Simplifies deploying or updating applications at scale, ensuring uniformity.

9. Backup and Restore Script

Purpose: Automates file, database, or system backups and provides restore options.
Example: Schedule daily file backups to a secure server. Automate database backups and encrypt them for secure storage. Restore critical data after a system failure using pre-configured scripts

Why It’s Essential: Safeguards data integrity and availability, minimizing downtime and ensuring business continuity in the event of accidental deletion, hardware failure, or cyberattacks.

10. Log Parsing and Monitoring Script

Purpose: Filters and analyzes log files for anomalies or critical events.
Example: (1) PowerShell: Extract failed login attempts from Windows Event Logs. (2) Bash: Monitor Linux system logs (/var/log) for unusual activity.

Why It’s Essential: Speeds up root cause analysis and helps detect potential security incidents.

These scripts not only streamline routine tasks but alsoenhance security, improve compliance, and save time for IT admins. By incorporating these into a central script library, IT teams can respond quickly to operational and security needs.

About Version 2 Digital

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

vRx 2023

Best Practices for Troubleshooting a Windows Server Upgrade

To upgrade, or not to upgrade. While that may not have been the question that Hamlet asked, it’s one you might be asking. You already made the mistake of asking Reddit, “should I do an in-place upgrade,” and, as expected, people had Big Opinions. A Windows Server Feature Update offers benefits, like performance and analytics. On the other hand, if you have problems, then your attempts can lead to business downtime and service disruption. Meanwhile, time rolls on toward the October 2025 end-of-service (EoS) for Windows Server 2016.

If you’re still trying to decide if or when to do a Feature Update, then these best practices for troubleshooting a Windows Server upgrade might help you.

What is an in-place Windows Server upgrade?

An in-place Windows server upgrade, also called a Feature Update, is when an organization updates an older operating system version to a new one without making changes to:

Settings
Server roles
Data

By not requiring the IT department to reinstall Windows, the in-place upgrade reduces downtime and business disruption while improving security and system performance.

The process for an in-place Windows server upgrade is:

Collecting diagnostic information for troubleshooting issues
Backing up the server operating system applications, and virtual machines
Performing the Feature Update using the Windows Server Setup
Checking the in-place upgrade to see if it worked

Which version of Windows Server should I upgrade to?

Depending on your current operating system, you may have different supported paths:

Windows Server 2012: Windows Server 2012 R2, Windows Server 2016
Windows Server 2012 R2: Windows Server 2016, Windows Server 2019, Windows Server 2025
Windows Server 2016: Windows Server 2019, Windows Server 2022, Windows Server 2025
Windows Server 2019: Windows Server 2022, Windows Server 2025
Windows Server 2022: Windows Server 2025
Windows Server 2025: Windows Server 2025

Microsoft no longer supports Windows Server 2008 or Windows Server 2008 R2.

Reasons for Upgrading Windows Servers

Upgrading Windows Server provides many of the same benefits that updating other device operating systems (OS) provides.

1. Enhanced Security

As with any operating system, the Windows Server upgrades typically incorporate new security features. For example, Windows Server 2022 brought with it:

Secured-core server: hardware, firmware, and driver capabilities to mitigate security risks during boot, at the firmware level, and from OS executing unverified code
Secure connectivity: implementing HTTPS and TLS 1.3 by default, encryption across DNS and Server Message Block (SMB),

Meanwhile, Windows Server 2025 includes security upgrades for:

Name and Sid lookup forwarding between machine accounts
Confidential attributes
Default machine account passwords
LDAP encryption by default

2. Improved Performance

The OS updates improve performance by changing how processes work. For example, Windows Server 2022 improved performance with changes like:

Encrypting SMB data before data placement
Reducing Windows Container image sizes
Improving both UDP and TCP networking performance
Enhancing Hyper-V virtual switches with Receive Segment Coalescing (RSC)
Allowing users to adjust storage repair speed
Making storage bus cache available for standalone servers

Meanwhile, Windows Server 2025 improves performance with changes like:

Block cloning support
Dev Drive storage volume focused on file system optimizations that improve control over storage volume settings
Enhanced Log to reduce impact on Storage Replica log implementation

3. Enhanced Efficiency and Agility

As the world migrates to hybrid on-premises and cloud infrastructures, the upgrades to Windows Server follow along. For example, Windows Server 2022 came with new Azure hybrid capabilities with Azure Arc, a way to manage Windows and Linux physical servers and virtual machines hosted outside of Azure to maintain consistency. With Windows Server 2025, the Azure Arc setup Feature-on-Demand is installed by default so adding servers is easier.

Challenges with Windows Server Upgrades

While upgrading Windows Server comes with multiple benefits, you may be concerned about the potential problems and challenges, including:

Compatibility issues: Applications running on the server may not work with the new OS version, leading to outages.
Configuration restrictions: Server boot configurations may complicate the upgrade process, requiring reconfiguration or virtualization changes.
Disk space: Upgrades typically require extra space for installation files and temporary processing or else they fail.

How to Troubleshoot a Windows Server Upgrade

While you want everything to work perfectly, you don’t live in a perfect world. If you have to troubleshoot your Windows Server upgrade, then you might want to consider some of these issues.

Review event logs

Using the Event Viewer, you can scan the System and Application logs for Windows Events generated around the same time you did the upgrade. Some Windows Server error codes include:

0x80244007: Windows cannot renew the cookies for the Windows Update
0x80072EE2: WIndows Update Agent unable to connect to the update servers or your update source, like Windows Server Update Services (WSUS)
0x8024401B: Proxy error leads to Windows Update Agent being unable to connect to update servers or your update source, like WSUS.
0x800f0922: Updates for Windows Server 2016 failed to install.
0x800706be: Windows Server 2016 cumulative update failed to install and was
0x80090322: HTTP service principal name (SPN) registered to another service account so PowerShell unable to connect to a remote server using Windows Remote Management (WinRM)

Check for Pending Reboot

An upgrade typically requires four reboots. After the first reboot, you can expect another within 30 minutes. If you see no progress, the upgrade may have failed.

Review Servicing Stack Updates

The servicing stack updates (SSUs) fix problems with the component that installs the Windows Server updates to make sure they’re reliable. Without the latest SSU installed, you may not be able to install the feature or security updates.

Check CPU and I/O

Since the Windows Server upgrade uses a lot of compute power and disk space, you want to make sure that you check these metrics to make sure the process is progressing.

Check Firewall Service

You may need to have the Windows firewall service running for the updates to work. To check whether the service is running, go to Service Manager>Services>Windows Firewall.

Graylog Enterprise: Faster Troubleshooting

Graylog Enterprise enables you to aggregate, correlate, and analyze all your log data in a single location. With Graylog Extended Log Format (GELF) inputs and BEATS inputs, you have a standardized format across Windows log types

Graylog supports Winlogbeat to ingest Windows event logs directly into our BEATS input, or you can use the NXLog community edition that reads Windows event logs and forwards them in GELF.

Using Graylog Sidecar, you can implement multiple configurations per collector and centrally manage their configurations through the Graylog interface. Graylog Cloud accepts inputs from the Graylog Forwarder so that you can collect the same kind of logs from different parts of your infrastructure or maintain a more redundant setup.

About Graylog
At Graylog, our vision is a secure digital world where organizations of all sizes can effectively guard against cyber threats. We’re committed to turning this vision into reality by providing Threat Detection & Response that sets the standard for excellence. Our cloud-native architecture delivers SIEM, API Security, and Enterprise Log Management solutions that are not just efficient and effective—whether hosted by us, on-premises, or in your cloud—but also deliver a fantastic Analyst Experience at the lowest total cost of ownership. We aim to equip security analysts with the best tools for the job, empowering every organization to stand resilient in the ever-evolving cybersecurity landscape.

About Version 2 Digital

2024 Graylog