OpenVPN Windows client auto connect on startup

A common issue when accessing shared folders when connecting from remote is forgetting to connect OpenVPN to connect to your office network.

Ideally, OpenVPN should auto connect on startup so that users will not have issue connecting to network share due to this and then subsequently remove the mapping.

One way to get it to run when logged in, is by placing a shortcut in the usual startup folder.

(For all users, %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup; or for the current user only, %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.)

Create shortcut on your desktop pointing to C:\Program Files\OpenVPN\bin\openvpn-gui.exe (verify that the file is located at this location) then cut and paste to either %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup (current user) or
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (all users)

or in CMD (current user) type

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OpenVPN-GUI /t REG_SZ /d \””C:\Program Files\OpenVPN\bin\openvpn-gui.exe –connect myprofile.ovpn\”” /f

replacing myprofile.opvn with the file name of your .opvn profile.

Or you can start regedit, browse to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and amend the OpenVPN-GUI data to “C:\Program Files\OpenVPN\bin\openvpn-gui.exe –connect myprofile.ovpn”

Restricting access using Geolocation via Fortigate

There will instances where you will need to set server to be public serving for remote offices requiring access to applications within your network.

FortiOS versions 7 and above offer Geo-IP restriction features, enabling administrators to control access to internal services based on geographical location. This feature is particularly useful for organizations with remote offices or users who need to access applications within the network from specific countries or regions.

By configuring Geo-IP restrictions, you can:

Allow access to internal services only from specific countries or regions.
Restrict access from countries or regions with high security risks.
Comply with data sovereignty regulations by controlling where data is accessed.
Enhance security by limiting exposure to unauthorized access.

To configure Geo-IP restrictions:

1. Login to your Fortigate admin portal, expand Policy and Objects and select Addresses.

2. Select Create New and select Address.

3. Type a name for the location, select Geography from Type dropdown list.

4. Select the country you want to allow.

5. Select the interface that this address restriction would apply on.

6. Click OK to save.

7. Regions added will appear in Geography address group.

8. Apply the policy by select the newly added address to source option of the policy you would like to add the restriction.

9. Click OK to complete the setup.

By limiting access to internal services from specific countries or regions, you can reduce unnecessary traffic and prevent bandwidth waste.

Geo-IP restrictions can help block malicious traffic from known botnet sources or countries with high cybercrime activity, reducing the risk of automated attacks.

Allowing processes blocked by firewall

01. List all listening TCP ports with “netstat -anp tcp” in administrator’s CMD.

netstat to list open tcp ports

02. Find PID associated with open ports requiring inbound connections.

find PID for process owner

03. Pipe tasklist to find to locate process owner’s name.

04. User wmic to locate full executable paths of all processes you would like to pass Windows firewall.

05. Go to Control Panel, All Control Panel Items and select Windows Firewall.

06. Select Allow an app or feature through WIndows Defender Firewall.

GUI allow program through firewall

07. Select Allow another app.

08. Copy from command line process’ full path, paste and click Open.

paste process full path

09. Click Add to add the program. Repeat process for all other running processes that are blocked.

Some applications may dynamically assign ports to listen to for inbound connections, adding the program itself will prevent allowing static ports in while blocking all others used by the process.

FortiOS – buffer overflow – CVE-2023-27997

A critical vulnerability discovered in FortiGate SSL VPN enables hackers to infiltrate vulnerable systems and inject malicious code, even when Multi-Factor Authentication (MFA) is activated.

Following Fortinet product versions are affected and firmware should be updated.

Affected Products
FortiOS version 7.2.0 through 7.2.2
FortiOS version 7.0.0 through 7.0.8
FortiOS version 6.4.0 through 6.4.10
FortiOS version 6.2.0 through 6.2.11
FortiOS version 6.0.0 through 6.0.15
FortiOS version 5.6.0 through 5.6.14
FortiOS version 5.4.0 through 5.4.13
FortiOS version 5.2.0 through 5.2.15
FortiOS version 5.0.0 through 5.0.14
FortiOS-6K7K version 7.0.0 through 7.0.7
FortiOS-6K7K version 6.4.0 through 6.4.9
FortiOS-6K7K version 6.2.0 through 6.2.11
FortiOS-6K7K version 6.0.0 through 6.0.14
FortiProxy version 7.2.0 through 7.2.1
FortiProxy version 7.0.0 through 7.0.7
FortiProxy version 2.0.0 through 2.0.11
FortiProxy version 1.2.0 through 1.2.13
FortiProxy version 1.1.0 through 1.1.6
FortiProxy version 1.0.0 through 1.0.7

CVE-2023-27997 denotes a crucial heap buffer overflow vulnerability within Fortinet’s FortiOS SSL-VPN pre-authentication module.

Its exploitation permits an overflow of data from a designated memory block into adjacent blocks in the heap, enabling the execution of arbitrary code and facilitating malicious program activities.

SSL VPNs are typically relied upon for establishing secure connections to private organizational networks and the vulnerability could grant cybercriminals access to any networks and products assumed to be safeguarded.

This vulnerability exploit pre-authentication without privileged credentials allowing attackers to elude interception and escalate likelihood of successful data breach attempts.

Suggested response actions to mitigate the impact of CVE-2023-27997, is to upgrade to the Latest FortiOS Firmware Release and/or disable SSL-VPN on all impacted devices is it is not actively in use.

To shutoff SSL-VPN access, follow this link.

Follow Fortinet’s best practice on hardening your network devices.

Anydesk Production Server Breached

AnyDesk recently confirmed a cyberattack compromising their production systems, resulting in the theft of source code and private code signing keys. The remote access software, popular among enterprises and threat actors alike, serves 170,000 customers, including notable organizations like 7-Eleven and Samsung.

AnyDesk detected the attack on their servers and enlisted CrowdStrike’s help to respond. While details on data theft remain undisclosed, the company assured users of system safety. They revoked security certificates, replaced compromised systems, and advised users to update to the latest version with new code signing certificates.

Though AnyDesk denies token theft, they revoked web portal passwords and advised users to change them as a precaution. The company replaced stolen code signing certificates, evident in the new software version 8.0.8. The certificate transition ensures continued security for users.

https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/

Doctor Web – Malicious apps on Google Play

Malicious Android apps on Google Play, disguised as games and trojans, amassed over two million installs. These apps hid their presence by replacing icons with Google Chrome or using transparent images. They generated revenue through intrusive ads.

Four adware (HiddenAds) apps disguised as games:

  • Super Skibydi Killer – 1,000,000 downloads
  • Agent Shooter – 500,000 downloads
  • Rainbow Stretch – 50,000 downloads
  • Rubber Punch 3D – 500,000 downloads

Additionally, some apps directed users to scams or online casinos. All mentioned apps have been removed, but users who installed them should delete and scan their devices. To avoid such apps, limit installations, read reviews, and verify publishers’ trustworthiness.

Some notable examples of those are:

  • Eternal Maze (Yana Pospyelova) – 50,000 downloads
  • Jungle Jewels (Vaibhav Wable) – 10,000 downloads
  • Stellar Secrets (Pepperstocks) – 10,000 downloads
  • Fire Fruits (Sandr Sevill) – 10,000 downloads
  • Cowboy’s Frontier (Precipice Game Studios) – 10,000 downloads
  • Enchanted Elixir (Acomadyi) – 10,000 downloads

Finally, the antivirus team spotted two Joker family apps on Google Play, which subscribe users to premium paid services:

  • Love Emoji Messenger (Korsinka Vimoipan) – 50,000 downloads
  • Beauty Wallpaper HD (fm0989184) – 1,000 downloads

https://www.bleepingcomputer.com/news/security/android-adware-apps-on-google-play-amass-two-million-installs/

Configure Message Size Limits on O365

Current default message size limit on Office 365 is configured at 36MB. The guide from Microsoft on how to increase these limits still points to the old Exchange Admin Center.

The current URL to make these changes is at https://admin.exchange.microsoft.com/

  1. Login with your admin credentials, select mailboxes.
  2. Select the user mailbox to increase message size.
  3. Click Mailflow setting and select Message size restriction.
  4. Change the value to your required size in KB. (100MB = 102400KB)

To make changes for all mailboxes, select the checkbox besides Display name and follow the same steps listed above.

Add an additional layer of security to your existing setup by implementing USB FIDO2 compliant security key. Free up your IT resources from having to secure user-owned devices using Microsoft Authenticator app.

Our hardware authenticator supports passwordless sign-in on Microsoft Entra and also on-premise Active Directory.

PayNow Possible Info Leak

Getting a call from a long lost “friend” whom you don’t recall knowing?

These are from scammers that are using the name provided on your PayNow-linked mobile number and pretending to be someone you know.

Your name or alias is shown when someone attempts to pay you via your mobile number.

Chances are they know about you as much as the hawker stall you paid your food for using PayNOW/PayLah! method.

You can change your name to Salvatore and chances are scammers will be calling and looking for Salvatore.

5
Oct, 2023

Exchange vs Traditional Mail System

Full featured Cloud Solution

Some companies may not foresee the implication when using older POP3 and IMAP mail system – disgruntled employees may remove critical information in their email mailbox and nobody may be aware of it, data get lost when system crashes and data inconsistencies on multiple devices.

Comes Office 365 with it range of data from mailbox, Onedrive, Sharepoint sites and even Teams messages, your retention policy is applied to all users’ content and can be placed indefinitely on legislation hold, making such information available should the need arises.

Access to any mailbox can be simply be assigning access permission instead of copying/moving of email psts all over the place.

Losing your emails due to system failures and crashes will not be an issue as with Exchange email, all is required is just to setup your email account on another system and resync all mailbox to the new device with everything intact.

A large portion of email compromise is due to lack of multilayer authentication. A successful bruteforce attack will enable a hacker unrestricted access to your mailbox thereafter. MFA/2FA allows for an additional layer of security through code verification on an authenticator app on owner’s mobile device.

In traditional Cpanel hosting, 2-factor authentication is only available for webmail access but not within Outlook as there is no native support nor third party application for it yet.

The migration process may be tedious but we are able to provide you the full support required.

Is Microsoft ditching SMS for Multi-Factor Authentication (MFA)?

Microsoft is discontinuing support for SMS in specific sign-in scenarios. This includes sign-ins from new devices and those that need multi-factor authentication (MFA).

The reason behind this move is to step up security and minimize the chances of unauthorized access.

Typically, the concern arises because employees might not want to use their personal mobile devices to verify their access.

Customers have the option to establish a conditional access policy to reduce the frequency of MFA prompts when they’re in trusted locations. To do this, you’ll need at least one Azure AD P1 (Microsoft Enterprise ID P1), Office 365 E3 Plan, or Office 365 Business Premium subscription.

Another choice is to get a FIDO2 key or a FIDO2-compliant pass for each user. If you encounter any difficulties while setting up MFA using these methods, feel free to reach out to us for assistance.