g

A group of hackers from Iran are targeting worldwide companies that use public-facing Remote Desktop Protocol (RDP) and infecting them with the Dharma Ransomeware.

The attackers would lunch their campaign by first scaning ranges of IPs for hosts that contained these vulnerable RDP ports like 3389 which is the default RDP port, afterwards attempt weak credentials. They have been using a scanning software called Masscan.

Once vulnerable hosts were identified, the attackers deployed a well-known RDP brute force application called NLBrute, which has been sold on the dark web forums. Using this tool, they are able to brute-force their way into the system, and then check the validity of obtained credentials on other accessible hosts in the network.

Attackers also attempted to elevate privileges using an exploit for an elevation privilege flaw. This medium-severity flaw (CVE-2017-0213), which affects Windows systems, can be exploited when an attacker runs a specially crafted application. Attackers would then move thoughout the network and deploy the Dharma Ransomware to encrypt data, and leave a ransom note for the victim. Researchers said, hackers typically demanded a ransom between 1 to 5 BTC (worth between 12,000 to 59,000 USD at the time of writing).

A cybersecurity researcher found a Netgear Zero-Day vulnerability which allows full takeover of about 79 Netgear router models.

“The specific flaw exists within the httpd service, which listens on TCP Port 80 by default,” according to the ZDI report, which covers the bug’s presence in the R6700 series Netgear routers. “The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer.” “This vulnerability affects firmwares as early as 2007 (WGT624v4, version 2.0.6),” he said in his post. “Given the large number of firmware images, manually finding the appropriate gadgets is infeasible. Rather, this is a good opportunity to automate gadget detection.”

Affected router models

According to Nichols, 79 Netgear router models and 758 firmware images contain the vulnerable HTTPD daemon.

A list of these affected models and firmware can be found in Nichols’ PoC exploit.

Below we can see the 79 router models that are affected:

AC1450 MBR1516 WGR614v9 D6220 MBRN3000 WGR614v10 D6300 MVBR1210C WGT624v4 D6400 R4500 WN2500RP D7000v2 R6200 WN2500RPv2 D8500 R6200v2 WN3000RP DC112A R6250 WN3100RP DGN2200 R6300 WN3500RP DGN2200v4 R6300v2 WNCE3001 DGN2200M R6400 WNDR3300 DGND3700 R6400v2 WNDR3300v2 EX3700 R6700 WNDR3400 EX3800 R6700v3 WNDR3400v2 EX3920 R6900 WNDR3400v3 EX6000 R6900P WNDR3700v3 EX6100 R7000 WNDR4000 EX6120 R7000P WNDR4500 EX6130 R7100LG WNDR4500v2 EX6150 R7300 WNR834Bv2 EX6200 R7850 WNR1000v3 EX6920 R7900 WNR2000v2 EX7000 R8000 WNR3500 LG2200D R8300 WNR3500v2 MBM621 R8500 WNR3500L MBR624GU RS400 WNR3500Lv2 MBR1200 WGR614v8 XR300 MBR1515

Netgear has released some new firmware releases for newer models however these devices do not automatically update themselves. You will have to download the firmware from the website then log into your router and update the firmware.

To restore the Dell N4024 or N4048 switch to factory defaults you can follow the below procedure:

Manually reboot your switch While the switch is booting up keep an eye on the bootup screen and find “Dell Networking Boot Options” and select option #2 (Display Boot Menu) within 3 seconds. On Boot Main Menu, enter choice # 10 for enable password removal.

Dell Networking Boot Options

Select a menu option within 3 seconds or the Operational Code will start automatically…

1 – Start Operational Code

2 – Display Boot Menu

Select Cl , 2) # 2

Boot Main Menu

1 – Start Operational Code

2 – Select Baud Rate

3 – Retrieve Logs

4 – Load New Operational Code

5 – Display Operational Code Details

9 – Reboot

10 – Restore Configuration to Factory Defaults

11 – Activate Backup Image

12 – Start Password Recovery

Enter Choice* 10

To restore the Dell N3024 or N3048 switch to factory defaults you can follow the below procedure:

Manually reboot your switch While the switch is booting up keep an eye on the bootup screen and find “Dell Networking Boot Options” and select option #2 (Display Boot Menu) within 3 seconds. On Boot Main Menu, enter choice # 10 for enable password removal.

Dell Networking Boot Options

Select a menu option within 3 seconds or the Operational Code will start automatically…

1 – Start Operational Code

2 – Display Boot Menu

Select Cl , 2) # 2

Boot Main Menu

1 – Start Operational Code

2 – Select Baud Rate

3 – Retrieve Logs

4 – Load New Operational Code

5 – Display Operational Code Details

9 – Reboot

10 – Restore Configuration to Factory Defaults

11 – Activate Backup Image

12 – Start Password Recovery

Enter Choice* 10

In this Tutorial I will be showing you how to adopt New Unifi Devices to your Unifi Cloud Controller using the SSH Method.

We will first start off by:

Download and install Advanced IP Scanner. Open the Advanced IP Scanner and run a scan to locate all your New Unifi devices. Note: Make sure network discovery is enabled on your computer Within Advanced IP Scanner make sure to notice the IP addresses that each Unifi Device is using. Download, install, and run: PuTTY Enter the IP address of the UniFi device, Port 22, Connection type: SSH, and click “Open” Login using the default username is ubnt and password is ubnt. In that same console window type without quotes “set-inform” followed by the server address http://yourdomain:8080/inform” Make sure to use a DNS name instead of an IP address.

Make sure to use http:// instead of https:// and use :8080/inform, at the end of the domain, example: http://unifi.patrickdomingues.com:8080/inform.

Log into your Unifi Cloud Controller and create your new site if needed. You should notice your new devices will now show up for adoption on ALL sites in your UniFi Cloud Controller, use the sites drop down in the upper right corner to switch to the site you want the device to be adopted in, then click “Adopt” The device status should change from “Pending” to “Adopting”, and then “Provisioning” fairly quickly. The device will receive its new configuration from the UniFi Cloud Controller and reboot, afterwards the status should change to “Connected” Once that is done you can upgrade the device firmware, and begin configuring your network under Settings and remember to set a monthly schedule for auto firmware updates.

In this Tutorial I will be showing you how to adopt New Unifi Devices to your Unifi Cloud Controller.

We will first start off by:

Download and install Google Chrome. Download, install and run within Google Chrome the Ubiquiti Device Discovery Tool Next Click: [Scan] and wait for your devices to show up. Note: Make sure network discovery is enabled on your computer. Afterwards click on [Unifi Family] on the top right corner. You should now see the [Action] Button next to all the devices. Click [Action]. In this popup window change the “Inform URL” to your Unifi Controller’s set-inform URL Make sure to use a DNS name instead of an IP address.

Make sure to use http:// instead of https:// and use :8080/inform, at the end of the domain, example: http://unifi.patrickdomingues.com:8080/inform.





Log into your Unifi Cloud Controller and create your new site if needed. You should notice your new devices will now show up for adoption on ALL sites in your UniFi Cloud Controller, use the sites drop down in the upper right corner to switch to the site you want the device to be adopted in, then click “Adopt” The device status should change from “Pending” to “Adopting”, and then “Provisioning” fairly quickly. The device will receive its new configuration from the UniFi Cloud Controller and reboot, afterwards the status should change to “Connected” Once that is done you can upgrade the device firmware, and begin configuring your network under Settings and remember to set a monthly schedule for auto firmware updates.

If you had any problems with this tutorial and you cannot set the inform using this method, you may have better luck with Unifi Cloud Controller Adoption Using SSH

In this Tutorial we will show you how to enable MFA for the UniFi Controller and once it is setup correctly you will be presented with the MFA login.

We will first start off by:

Creating an account on Ubiquiti’s website https://account.ui.com/. Make sure to use the same email address that you are going to use for the Controller.



Then follow these steps https://help.ui.com/hc/en-us/articles/115012986607-How-to-Enable-Two-Factor-Authentication#2



Now log into your controller and go to Enable Settings > Remote Access > Local login with UBNT account on your UniFi server.



Afterwards within your controller and create your admin account using the same exact username, email, and password as your UI account.



Log out and then when you log in directly to UniFi you will be prompted for MFA

Multi Factor Authentication Login Screen

The DHS Cybersecurity & Infrastructure Security Agency (CISA) has issued an alert regarding an on going Nefilim ransomware campaign, after the New Zealand Computer Emergency Response Team (CERT NZ) issuing an alert as well.





Nefilim ransomware is the successor of Nemty ransomware and was first discovered in February 2020. The developers of the ransomware conduct their own attacks and deploy the ransomware manually after gaining access to enterprise networks.

Once an attacker gains a foothold through the remote access system, they then use tools such as mimikatz, psexec, and Cobalt Strike to elevate privileges, move laterally across a network, and establish persistence on the network.

The attacker identifies and extracts sensitive information from the network and encrypts files. Nefilim ransomware has commonly been used, but other ransomware can also be used. Once the attacker has the information they want they attempt to sell or publicly release the information.

Ransomware Mitigations to Help You Defend Today and Secure Tomorrow

The below recommendations are provided by the “CISA INSIGHTS Report”. The three sets of straightforward steps any organization can take to manage their risk.



Actions for Today – Make Sure You’re Not Tomorrow’s Headline:

1. Backup your data, system images, and configurations and keep the backups offline

2. Update and patch systems

3. Make sure your security solutions are up to date

4. Review and exercise your incident response plan

5. Pay attention to ransomware events and apply lessons learned

Actions to Recover If Impacted – Don’t Let a Bad Day Get Worse:

1. Ask for help! Contact CISA, the FBI, or the Secret Service

2. Work with an experienced advisor to help recover from a cyber attack

3. Isolate the infected systems and phase your return to operations

4. Review the connections of any business relationships (customers, partners, vendors) that touch your network

5. Apply business impact assessment findings to prioritize recovery

Actions to Secure Your Environment Going Forward – Don’t Let Yourself be an Easy Mark:

1. Practice good cyber hygiene; backup, update, whitelist apps, limit privilege, and use multifactor authentication

2. Segment your networks; make it hard for the bad guy to move around and infect multiple systems

3. Develop containment strategies; if bad guys get in, make it hard for them to get stuff out

4. Know your system’s baseline for recovery

5. Review disaster recovery procedures and validate goals with executives

Aren’t you glad you stumbled upon this Kaseya Script for Windows Disk Cleanup? This Windows Disk Cleanup script for Kaseya cleans up everything from windows.

What does it do?

I am glad you asked. The script uses the Kaseya scripting engine to apply the options below to the registry and afterwards the script will run a CMD to run the specific Disk Cleaner Settings Profile we created to clean up all the junk.

Active Setup Temp Folders

BranchCache

Downloaded Program Files

GameNewsFiles

GameStatisticsFiles

GameUpdateFiles

Internet Cache Files

Memory Dump Files

Offline Pages Files

Old ChkDsk Files

Previous Installations

Recycle Bin

Service Pack Cleanup

Setup Log Files

System error memory dump files

System error minidump files

Temporary Files

Temporary Setup Files

Temporary Sync Files

Thumbnail Cache

Update Cleanup

Upgrade Discarded Files

User file versions

Windows Defender

Windows Error Reporting Archive Files

Windows Error Reporting Queue Files

Windows Error Reporting System Archive Files

Windows Error Reporting System Queue Files

Windows ESD installation files

Windows Upgrade Log Files

So there is a downside unfortunately this script only works when the user is logged in and it cannot be ran as silent. To automatically deploy this script on a scheduled basis, within Kaseya we used Policy Management and configured a new Scheduled policy to run this Windows Disk Cleanup Kaseya script every evening while users are logged in.

Below you can see the Kaseya Script. I also provided the download link for it.

<?xml version="1.0" encoding="utf-8"?> <ScriptExport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.kaseya.com/vsa/2008/12/Scripting"> <Procedure name="Windows Disk Cleaner" treePres="3" id="1946074875" folderId="113237001566792" treeFullPath="myProcedures - pdomingues@teamlogicit.com"> <Body description=""> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Active Setup Temp Folders\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="Integer" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Active Setup Temp Folders\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="Integer" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\BranchCache\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\BranchCache\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Downloaded Program Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Downloaded Program Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\GameNewsFiles\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\GameNewsFiles" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\GameStatisticsFiles\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\GameStatisticsFiles\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\GameUpdateFiles\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\GameUpdateFiles\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Internet Cache Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Internet Cache Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Memory Dump Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Memory Dump Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Offline Pages Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Offline Pages Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Old ChkDsk Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Old ChkDsk Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Previous Installations\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Previous Installations\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Recycle Bin\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Recycle Bin\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Service Pack Cleanup\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Service Pack Cleanup\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Setup Log Files/StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Setup Log Files/StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\System error memory dump files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\System error memory dump files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\System error minidump files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\System error minidump files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Setup Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Setup Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Sync Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Sync Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Thumbnail Cache\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Thumbnail Cache\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Update Cleanup\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Update Cleanup\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Upgrade Discarded Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Upgrade Discarded Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\User file versions\StateFlags0100 " /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\User file versions\StateFlags0100 " /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Defender\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Defender\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting Archive Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting Archive Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting Queue Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting Queue Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting System Archive Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting System Archive Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting System Queue Files\StateFlags0100 " /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Error Reporting System Queue Files\StateFlags0100 " /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows ESD installation files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows ESD installation files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Upgrade Log Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="SetRegistryValue64" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Upgrade Log Files\StateFlags0100" /> <Parameter xsi:type="StringParameter" name="Value" value="2" /> <Parameter xsi:type="EnumParameter" name="DataType" value="String" /> </Statement> <Statement name="ExecuteShellCommand" continueOnFail="false"> <Parameter xsi:type="StringParameter" name="Command" value="%SystemRoot%\SYSTEM32\cleanmgr.exe /s /q START /WAIT cleanmgr /sagerun:100" /> <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="User" /> <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" /> </Statement> <Statement name="WriteScriptLogEntry" continueOnFail="false" osType="Windows"> <Parameter xsi:type="StringParameter" name="Comment" value="Windows Disk Cleanup Complete." /> </Statement> </Body> </Procedure> </ScriptExport>

Recently it was found that Plex had a vulnerability that allowed hackers to do a full system takeover.

The three vulnerabilities that were found are CVE-2020-5740, CVE-2020-5741, and CVE-2020-5742 which was detected by Tenable security researcher Chris Lyne and reported to Plex on May 31st.

If hackers are able to exploit this vulnerability they could execute code to gain access to all files, create backdoors and even move to other devices on the network.

Phishing for Plex Media Server Tokens (CVE-2020-5742)

Update to the latest version

Make sure that you are not vulnerable, log into your plex server and update right away.

“We have rolled out a change in our update distribution servers. This change will protect Plex Media Server version 1.18.2 or newer,” the Plex Security Team said. “Plex Media Server installations older than 1.18.2 will still be exploitable and we highly encourage users on older releases to upgrade.” “Additionally, Plex Media Server versions 1.19.1.2701 & 1.19.2.2702 (and newer) features additional hardening in the updater infrastructure to protect against future vulnerabilities. We recommended for all users to update to one of these releases.”

Plex also resolved the CVE-2020-5742 vulnerability by enabling automatic alerts on authentication pages to notify Plex users when they are logging into a media server that’s not hosted by Plex.