Author: Aiden Galvin

HPE iLO Firmware Download Links

HPE iLO Firmware Download Links

Using the links below you can download the recent HPE iLO (Integrated Lights-Out) firmware files these are all i could find on HPE’s website :



ILO1 Latest : ilo196.bin (30-Apr-2014)


ILO2 Latest : ilo2_232.bin (18-Feb-2018)


ILO3 Latest : ilo3_189.bin (iLO3 v 1.89.2 07-Jul-2017)


ILO4 Latest : ilo4_255.bin (iLO4 v 2.55.10 16-Aug-2017)


ILO5 Latest : ilo5_120.bin (9-Feb-2018)

An Easy Guide For How To Mitigate Spectre And Meltdown

An Easy Guide For How To Mitigate Spectre And Meltdown

Are you stuck trying to understand how to protect your devices or company against Spectre and Meltdown? Well you are unfortunately not alone. This article should help clear it up though.

Ever since the two vulnerabilities nicknamed Spectre and Meltdown effecting multiple CPU’s dating back to 1995 got leaked a few weeks back vendors have been rushing to release patches and updates to mitigate the issue.

This initial flood of patches has not been smooth and there has been a lot of incompatibility issues and general finger pointing and frustration. To help clear up some misconceptions, I’ve put the following guide together that walks through various major updates to operating systems and browsers, explaining how they address Meltdown and/or Spectre, what they specifically don’t address, and any known compatibility or performance issues that have been reported.

Meltdown and Spectre – What are they?

Before we dive in, here’s a quick explanation of what Meltdown and Spectre are all about.

Meltdown (CVE-2017-5754)

Meltdown is a vulnerability effecting CPU’s that allows a user program to access privileged kernel-mode memory. It affects all out-of-order execution Intel processors released since 1995 with Itanium and pre-2013 Atoms being the only exceptions. A list of vulnerable ARM processors and mitigations is listed here. No AMD processors are affected by Meltdown.

Out of the two vulnerabilities, Meltdown is the easier one to fix, and can most commonly be addressed by applying an Operating System update.

Spectre (CVE-2017-5753, CVE-2017-5715)

Spectre is observed to be much more of a whole new attack vector rather than just a standard vulnerability. It’s enabled by the unintended side effects of speculative execution (this is what processors do to achieve higher speeds as they will make assumptions over what they will be asked and the possible results so that when they are asked they will hopefully already have the answer available or at least already working on a solution).

There are two different variants of Spectre — the first variant (bounds check bypass, CVE-2017-5753) and the second (branch target injection, CVE-2017-5715). Both variants can potentially allow attackers to obtain and extract information from other running processes (e.g. stealing login cookies from Internet Browsers).

AMD, ARM and Intel processors have all been reportable vulnerable to Spectre by various degrees, and this poses significant patching problems. While operating system and browser updates have helped mitigate the risk of Spectre to some degree, many experts agree the only true fix is a hardware update. As such, Spectre is likely to remain an issue for many years to come.

Source: SANS / Rendition Infosec. See the full presentation here

It’s important to note that both vulnerabilities are for information disclosure. Neither vulnerability allows remote execution – in other words, they don’t allow attackers to run malware.


Operating System updates

Windows updates

Microsoft’s processes for their Security Update to address Meltdown and Spectre has a bit of a roller-coaster, tainted by incompatibility issues with Anti-Virus software and AMD processors. For some scenarios, the deployment of the 2018-01 Security update has had to be put on hold or restricted altogether.

More details and direct download links to the updates below:

  • Windows 10
  • Windows 8 and Windows Server 2012
  • Windows 7 and Windows Server 2008

What the Microsoft Patches address:

  • Spectre variant 1, bounds check bypass (CVE-2017-5753)
  • Meltdown, rogue data cache load (CVE-2017-5754) –

The original Security update did not provide the mitigation for 32bit OS’s (x86 based OS). 
Microsoft Advisory Regarding 32bit: The 32 bit update packages listed in this advisory fully addressed CVE-2017-5753 and CVE-2017-5715, but did not provide protections for CVE-2017-5754 at this time. Microsoft continued to work with the affected chip manufacturers and have now released an additional Security update to address/mitigate (CVE-2017-5754) for 32bit OS’s : KB4073291

What they don’t address:

  • Currently the second variant of Spectre, branch target injection (CVE-2017-5715) – at present firmware updates are required to fully address Spectre variant 2.

Known issues:

Key=”HKEY_LOCAL_MACHINE” Subkey=”SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat” Value=”cadca5fe-87d3-4b96-b7fb-a231484277cc” Type=”REG_DWORD”Data=”0x00000000”

This resulted in a lot of initial confusion from the sector, with all the anit-virus companies providing different updates or some just went silent this did not help, some were setting the registry key for their customers and others requested that users set it themselves. The situation only gets more complicated considering many organisations have more than one Anti-Virus solution to maintain.

Should you use one of Microsoft’s own solutions; Microsoft clarified that Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials are all compatible with the update and that they do set the registry key.

This means that if you have one of those built-in Microsoft protections enabled the registry key should be set automatically — no further, manual action should be necessary.  However, if you use a third-party antivirus then two things can happen, if Microsoft officially recognises the Anti-Virus software then Windows Defender and Microsoft Security Essentials should automatically be turned off so your third party Anti-Virus will require the update. Should Microsoft not officially recognise your Anti-Virus then Windows Defender or Microsoft Security Essentials will update the registry key when your third party Ant-Virus may not be support the update which could mean blue screen issues.

Kevin Beaumont has created a spreadsheet to keep track of the antivirus vendors and whether they make this key: //


To manually add the registry key and obtain the update now you can enter the following into a command prompt window (as admin) and then run Windows Update ( does not accept any liability for any issues that could arise as a result and would recommend you contact Microsoft and your AV provider prior to doing this): 

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" /v "cadca5fe-87d3-4b96-b7fb-a231484277cc" /t REG_DWORD /d "0x00000000" /f
  • AMD compatibility issues:  Initially reported at the Verge, Microsoft had received numerous reports of PCs running AMD processors getting into a boot loop after installing the latest Windows security update. After some investigation, the company confirmed that there were issues, and temporarily stopped delivering the update to AMD devices. If you are effected by the AMD incompatability with the Windows Update then you will need to visit Microsoft’s support site for details on getting your machine(s) back up and running. Microsoft announced on the 18th January that it will resume rolling out patches for AMD devices running Windows 7 SP1 and Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 R2, and the latest version of Windows 10… 1709. Updates for four older versions of Windows 10 – 1511, 1607, and 1703 – are still on-hold. As are updates for Windows Server 2016 and Windows 10 Enterprise.
  • Group or MDM policy configurations may be disabling updates: According to Microsoft, if you have Group or MDM policy settings configured to disable preview builds, your machines may not be receiving updates (see what those settings are here). To fix that, Microsoft recommends temporarily changing Group/MDM policy settings to “Not Configured” and changing them back once the updates have been installed.
  • Performance implications: Just as with the other operating systems, patches addressing Meltdown and Spectre are expected to take varied but non major change in performance. In a blog post, Microsoft Executive VP Terry Myerson explained the implications of the fixes can vary depending on factors such as; the version of Windows running and the age of the machine:
    • Windows 10 on circa-2016 PCs with Skylake, Kabylake, or newer CPU: Single-digit slowdowns, which most users shouldn’t notice.
    • Windows 10 on circa-2015 PCs with Haswell or older CPU: Slowdown can be more noticable. Some users may notice a decrease in performance.
    • Windows 8 or Windows 7 on circa-2015 PCs with Haswell or older CPU: Most users will likely notice a decrease in  performance.
    • Windows Server (any CPU): Mitigation’s to isolate code within a Windows Server instance results in a more significant performance impact but as with the above it will very much depend on the workload and age of the hardware. According to Myerson, “This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance trade-off for your environment.”

Enabling protections for Windows Server

Microsoft has also advised Windows Server customers that they need to take the additional step of adding the following registry keys in order to enable patch protections.

To enable the fix:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f 

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f


If this is a Microsoft Hyper-V host and the firmware updates have been applied you will need to fully shutdown all Virtual Machines, the mitigation will not take effect until the VM’s next boot up. When you restart the host make sure to shutdown all Virtual Machines then restart the host, do not “Save” or “Pause” a VM for the reboot since the VM has to boot from scratch for the mitigation to take effect.

To disable this fix:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f


Again you will need to fully restart the Hyper-V host and Virtual Machines for this change to take effect. (Note there is not any requirement to change MinVmVersionForCpuBasedMitigations to disable the mitigations.)

Microsoft also notes that for Hyper-V hosts, live migration between patched and un-patched hosts may fail. The company also points to an alternative protection mechanism you can use on hosts that don’t have updated firmware yet.

Additional guidance from Microsoft:

Verifying new Windows protections are enabled:

To help confirm whether updates have been implemented correctly Microsoft has provided a PowerShell script that system administrators can run to test Meltdown and Spectre mitigations.

The following command will install the PowerShell module:

PS > Install-Module SpeculationControl

Note: There are a couple of requirements for running this command. First, you’ll need to be running PowerShell with admin privileges and may need to adjust execution policy. Also, the Install-Module command was introduced to PowerShell in version 5.0. Most Windows 7 machines will not have this version, due to the upgrades being optional and unrelated to security. Any device with an older version of PowerShell can still run the “Get-SpeculationControlSettings” function, however, only as long as you obtain the contents of the script and run it ad-hoc.

Once installed, the following command will run the test to check your system:

PS > Get-SpeculationControlSettings

The output will look something like this:

Results for Spectre protections

The first group – “Speculation control settings for CVE-2017-5715 [branch target injection] – refer to the protections in place for the Spectre vulneralbility. If the value for “Windows OS support for branch target injection mitigation is present” is “True” then the Windows Security update has been successfully installed.

The other red text in that section confirm that more complete mitigation for Spectre requires firmware updates, of which Intel has said it’s in the process of rolling these out. According to the company, updates for more than 90 percent of its processor products should be introduced by the end of next week.

Results for Meltdown protections

The second group – “Speculation control settings for CVE-2017-5754 [rogue data cache load] – refers to the protections in place for the Meltdown vulnerability. If you see the following results and no red lines then you’ve confirmed the Windows Security update has been successfully implemented and the machine is protected:

Hardware requires kernel VA shadowing: True Windows OS support for kernel VA shadow is present: True Windows OS support for kernel VA shadow is enabled: True Windows OS support for PCID optimization is enabled: True

Test results confirming successful mitigation of the Meltdown vulnerability

If you see any red lines in this section then that means the update has not been successfully applied. For more details on interpreting the PowerShell script output, Microsoft has a full results key here.

MacOS and iOS updates

Apple included mitigations to address Meltdown in its macOS 10.13.2 and iOS 11.2 updates released in December. They have since followed up with additional mitigations addressing the Spectre vulnerability with the recently released macOS High Sierra 10.13.2 Supplemental Update and iOS 11.2.2 update.

What they address:

  • Meltdown (CVE-2017-5754)
  • Spectre (CVE-2017-5753 and CVE-2017-5715) to some extent

What they don’t’ address:

  • Spectre (CVE-2017-5753 and CVE-2017-5715) to some extent
    Apple says its latest updates to MacOS, iOS, and Safari overall help to mitigate the risk of Spectre being exploited, however the company acknowledges it will be continuing to develop and test further mitigations.

No reported issues



Browser updates

Security researchers have been advising that the most likely use case/exploitation of Spectre is most likely to be web-based attacks using JavaScript (as an example, a malicious ad) to leak information, session keys, etc. cached in the browser. Given this, Google, Mozilla, Apple, and Microsoft have all either issued or scheduled new updates for their browsers to reduce that risk.

What browser updates address:

  • Spectre (CVE-2017-5753 and CVE-2017-5715) to some extent

What browser updates dont’ address:

  • Meltdown (CVE-2017-5754)
    You will still need to apply Operating System updates to mitigate Meltdown.


Google has announced it will be including the mitigations for Spectre starting with Chrome 64, which will be released on or around January 23. For the time being, Chrome users are advised to enable site isolation, which can help prevent the possibility of one site stealing data from another site.


Mozilla has already issued Firefox version 57.0.4, which helps address Spectre by disabling or reducing Firefox’s internal timer functions and disabling the SharedArrayBuffer feature. Firefox users can take additional precaution by enabling site isolation, as well.


Apple has released Safari 11.0.2 to specifically mitigate the effects of Spectre.

IE and Edge

Microsoft has made changes to both Internet Explorer 11 and Microsoft Edge to mitigate Spectre. In addition to removing support for SharedArrayBuffer from Edge, it has made changes to reduce the precision of several time sources to make successful attacks more difficult.


Firmware updates

Operating System and Internet Browser updates only partially mitigate Meltdown and Spectre. UEFI firmware and BIOS updates, are also required to further mitigate against them. If and when updates will be pushed out will vary from vendor to vendor, adding yet another layer of complexity, uncertainty and frustration to patching. This could easily result in only obtaining the updates by proactively checking for updates from PC/Server Manufacturers periodically over the coming few days or weeks.


Intel has released new Linux Processor microcode data files that can be used to add Meltdown and Spectre mitigations without having to perform a BIOS update.

Intel promised firmware updates for 90 percent of the affected processors made in the past five years by the 15th January. So far, it looks as though they are on-track and it now is resting on the downstream vendors/distributors to complete testing and deployment to their respective customer bases of-which these microcode fixes apply to a specific list of processors provided here.

The microcode updates can be obtained directly from Intel, of which Bleeping Computer has provided instructions and a video example to help walk admins through the install process here. It should be noted that some issues have already been reported with the updates, specifically around unwanted reboots. While Intel initially confirmed machines with Broadwell and Haswell CPUs were experiencing that issue, however later Intel acknowledged machines running newer processors were affected as well.

Windows users need to wait until Microsoft finalizes testing the microcode and releases an additional update to add in these further mitigations.

Known issues:

  • Older Intel Broadwell and Haswell CPUs experiencing sudden reboots: Intel has confirmed they have received reports of some glitches resulting from the firmware update on systems running Intel Broadwell and Haswell CPUs.
  • Newer Intel CPUs also experiencing sudden reboots: Intel has confirmed the firmware update is causing machines with Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake processors to suffer from sudden reboots too.
  • Performance impact: Information regarding the potential performance implications as a result of these updates have been inconsistent, however Intel has most recently said the patches are slowing processors down by six percent in certain situations. Intel has shared more details on performance impact based on specific workloads in a chart you can find here.

NOTE: Intel has currently requested customers stop installing its firmware update, they are aware of the issue and are working on a resolution


AMD has officially acknowledged that its processors are vulnerable to both variants of Spectre, but denies being vulnerable to Meltdown. While AMD says that OS, patches are sufficient to mitigate the first variant for Spectre, they have also started rolling out optional microcode updates starting last week; the initial fixes are focused on the Ryzen and EPYC processors.

Known issues:

  • Windows OS update compatibility issues: As first reported at the Verge, Microsoft had received numerous reports of PCs running AMD processors getting into a boot loop after installing the latest Windows security update. After some investigation, the company confirmed that there were issues, and temporarily stopped delivering the update to AMD devices. Affected users needed to visit Microsoft’s support site for instructions on getting their machines back up and running. Microsoft announced on the 18th January that it will resume rolling out patches for AMD devices running Windows 7 SP1 and Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 R2, and the latest version of Windows 10… 1709. Updates for four older versions of Windows 10 – 1511, 1607, and 1703 – are still on-hold. As are updates for Windows Server 2016 and Windows 10 Enterprise.


Right now the priority is not to stress and not to rush out and deploy all the updates you can find, instead take a step back and asses the situation and work-out how you can best mitigate these vulnerabilities. At present I would concentrate on Operating System and Internet Browser updates if your Anti-Virus is up-to date, the Firmware updates are fresh and seem to be experiencing more issues so I would hold of on them a little bit longer whilst the dust settles and you can be reassured of their stability. As always remember to test before mass scale deployment and make sure you have a proven restore-able Backup to revert to encase you encounter any issues.

Fresh information surrounding Meltdown and Spectre is coming out everyday, so there is likely much more to come. I will be following closely and providing updates as soon as possible.

CPU Flaws – Meltdown and Spectre

CPU Flaws – Meltdown and Spectre

Two vulnerabilities called Meltdown and Spectre have recently been discovered, you have probably seen these in the news over the past 24 hours since they since they effect most modern processors and allow malicious programs to steal information from the memory of other programs. This means that a malicious program could steal passwords, account information, encryption keys, or theoretically anything stored in the memory of a process.

Most vendors have started to release information surrounding how customers can protect themselves from Spectre or Meltdown and to what extents they are vulnerable. To make it easier to find this information, I will be adding some key information and links to various advisories as they are released.



CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754


CPU hardware implementations are vulnerable to side-channel attacks. These vulnerabilities are referred to as Meltdown (// and Spectre (//


An attacker able to execute code with user privileges can achieve various impacts, such as reading otherwise protected kernel memory and bypassing KASLR.

CVSS Metrics (Learn More (//

Group                                   Score                     Vector

Base                                      1.5                          AV:L/AC:M/Au:S/C:P/I:N/A:N

Temporal                             1.2                          E:POC/RL:OF/RC:C

Environmental                  2.0                          CDP:ND/TD:H/CR:H/IR:ND/AR:ND



1. Update OS’s – this will mediate the issue so that the Operating system itself cannot be exploited but if the Operating System is re-installed or the update removed then the device would still be vulnerable.

2. Apply Firmware updates from OEM (CPU Microcode) when/if available – this should offer a full resolution to the vulnerabilities.

3. Replace CPU with one that isn’t vulnerable – The best option for ensuring you are not vulnerable but not the easiest or potentially quickest solution.

Windows Server and Client – antivirus


“The compatibility issue is caused when anti-virus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot. To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update.”

^^ We need to test and potentially contact AV providers and check their product is compatible, and make sure they add they registry key to say so.  Otherwise we aren’t getting protected.


Antivirus support chart

Microsoft will only distribute the security update released on January 3rd 2018 to devices where a particular registry key has been added by an installed antivirus vendor. Kevin Beaumont has created a spreadsheet to keep track of the antivirus vendors and whether they make this key: //


To manually add the registry key and obtain the update now you can enter the following into a command prompt window (as admin) and then run Windows Update ( does not accept any liability for any issues that could arise as a result and would recommend you contact Microsoft and your AV provider prior to doing this): 

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" /v "cadca5fe-87d3-4b96-b7fb-a231484277cc" /t REG_DWORD /d "0x00000000" /f



Windows Server

Microsoft guidance for Windows Server: //

Important note: the patch is disabled by default for performance reasons.

To enable the mitigations

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

MS SQL Server

SQL specific information to come out later today

Windows Client

Microsoft guidance for Windows Client: //

Mozilla Firefox

Firefox will be adding mitigations for websites trying to exploit in Firefox 57: //

Google Chrome

Chrome 64, due late January, will include protection for websites trying to exploit: //

Microsoft Edge and Internet Explorer 11

Microsoft have released an update yesterday which includes protection for websites trying to exploit: //

Amazon AWS – cloud

AWS has protected their customers: //


“The majority of Azure infrastructure has already been updated to address this vulnerability. Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect. Many of you have received notification in recent weeks of a planned maintenance on Azure and have already rebooted your VMs to apply the fix, and no further action by you is required.”


ETA for completion of hypervisor level patching, 24-48 hours – MS will try to respect availability sets (if configured) – originally maintenance was planned for fabric to be updated over the following couple weeks but they have had to condense it so cant guarantee but will try to respect availability sets.

Reboot can take place at any time (e.g. they could reboot Azure VM’s during business hours)

AMD processors

Google Project Zero (GPZ) Research Title Details
Variant One Bounds Check Bypass Resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected.
Variant Two Branch Target Injection Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.
Variant Three Rogue Data Cache Load Zero AMD vulnerability due to AMD architecture differences.

The full advisory can be found here: //

Tom Lendacky, a software engineer at AMD, had posted a email to the Linux Kernel Mailing List stating:

“AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against.  The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.

Disable page table isolation by default on AMD processors by not setting the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI is set.”

You can read the full post here: //


The Android team has updated their January 2018 bulletin with the following note:

“CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754, a set of vulnerabilities related to speculative execution in processors, have been publicly disclosed. Android is unaware of any successful reproduction of these vulnerabilities that would allow unauthorized information disclosure on any ARM-based Android device.

To provide additional protection, the update for CVE-2017-13218 included in this bulletin reduces access to high-precision timers, which helps limits side channel attacks (such as CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754) of all known variants of ARM processors.

We encourage Android users to accept available security updates to their devices. See the Google security blog for more details.”

The full bulletin can be found here: //


Apple has announced that All Mac systems and iOS devices are affected, with the following statement.

“Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown. Apple Watch is not affected by Meltdown. In the coming days we plan to release mitigations in Safari to help defend against Spectre. We continue to develop and test further mitigations for these issues and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS.” //

Xen hypervisors



Suggested to patch these ASAP (currently awaiting to see if their are any issues) if you use hypervisor as a security layer (e.g. a bank or cloud provider).  Advisory and patches: //


WannaCry accidental hero MalwareTech arrested by FBI for role in Kronos Trojan

WannaCry accidental hero MalwareTech arrested by FBI for role in Kronos Trojan

The UK based Security Researcher who uses the handle @MalwareTechBlog, (aka Marcus Hutchins) and who became the self-professed accidental hero during the recent WannaCry outbreak that took place back in May has been arrested by the FBI for his involvement in the Kronos malware campaign that took place back in 2014-2015.

Yesterday, the FBI detained Marcus Hutchins after the DEF CON hacking conference in Las Vegas as he attempted to fly back home to London, where he works as a researcher for the Cyber Security firm Kryptos Logic. Shortly after his arrest, the Department of Justice unsealed an indictment against Marcus Hutchins. This indictment charges him for his involvement in creating the Kronos banking trojan, which was a piece of malware used to steal banking credentials in 2014 and 2015 and was designed to spread via emails, gathering financial details of the victims as it did. Furthermore included in the charge is that he was supposedly involved in the conspiracy to sell it for $3,000 on dark web markets like AlphaBay.

The news surrounding the arrest of Marcus Hutchins has shocked a lot of the Cyber Security community, after all Marcus is well known especially recently with his rise to fame in stopping the WannaCry outbreak, Marcus is a well respected person within the community and so this comes as quite damming news. It is not yet known exactly what evidence the FBI have on Marcus but it could have come from last month’s FBI and Europol seizure of the servers of AlphaBay, which happens to be the site mentioned in the indictment.

Friends of Marcus have reported he is currently located in the FBI’s Las Vegas field office, but the FBI is not releasing any comments at this time. As yet the evidence is unclear and judging by the indictment it seems the FBI believe Marcus built Kronos and an as yet unnamed co-conspirator released a video demo and sort to sell it, looking back we know that Marcus was researching Kronos around the time as he sought to get hold of a sample just as he did with WannaCry.

Lets face it the FBI has a history of incorrectly punishing security professionals who are doing good, so personally I am holding out on any judgment, and ultimately i want to know what evidence the FBI claim to have.

Microsoft Newly Launched $250,000 Bug Bounty

Microsoft Newly Launched $250,000 Bug Bounty

With major security flaws in the news more and more at present it may come as no surprise that technology companies are looking to invest in defensive technologies more and endeavour to maintain a high standard of security. Following this path Microsoft has now unveiled the new Windows Bounty Program. Including all features of the Windows Insider Program and further introducing a heightened focus on products such as Windows Defender and the Microsoft Edge Browser with the top bounty of $250,000 going to Hyper-V.

“Since 2013, we have launched multiple bounties for various Windows features, Security is always changing and we prioritize different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities.”

The program will pay out anywhere between $500 to $250,000 USD depending on the type of bug identified with the aim being to find any critical or important class remote code execution, elevation of privilege, or design flaws that could compromise a customer’s privacy and security.

Microsoft of not alone in enhancing its money incentives with the Facebook chief security officer Alex Stamos announcing earlier this week that Facebook is increasing its Internet Defense Prize to $1 Million USD, that’s a 10-times increase from what they were offering last year, when it awarded just $100,000 in prizes.

Artificial Intelligence and the need to Regulate SkyNet!

Artificial Intelligence and the need to Regulate SkyNet!

With so many companies working on Artificial Intelligence at the minute and the consensus in the field being that this will lead to Artificial General Intelligence (the type seen in films like Terminator with SkyNet) should we be worried, is there a need to look at regulating this area of Technology? Well Elon Musk has long advocated that regulation is required for Artificial Intelligence warning time and time again that it poses an exponential threat to humanity. At the National Governors Association summer meeting over the weekend Musk repeated these sentiments to the Governors in attendance, highlighting that we need to start regulating AI right now.

“I have exposure to the very cutting edge AI, and I think people should be really concerned about it,” Musk told the the attendees of the NGA summer meeting. “…until people see robots going down the street killing people, they don’t know how to react, because it seems so ethereal.” Mush addressed that the solution is regulation;  “AI is a rare case where we need to be proactive about regulation instead of reactive. Because I think by the time we are reactive in AI regulation, it’s too late.” He continued by highlighting that the current model of legislation whereby governments only step-in after a bunch of bad things happen and then public outcry causes them to start looking at regulating that area, however we are still talking a few years later that regulation will come into effect. Musk expands on this by further highlighting that this model is inadequate for Artificial Intelligence because it represents “a fundamental risk to the existence of civilization.”.

Musk jokes how regulation does have a use and we need to ensure areas are not over regulated but they need some regulation e.g. the FAA “if you ask the average person, hey do you wanna get rid of the FAA and just like take a chance on manufactures not cutting corners on aircraft because profits were down that quarter, well hell no that sounds terrible”.

If you want to Watch Musk’s interview you can in full below, his remarks surrounding AI are at about 48 minutes in until about 54 minutes and also at about 1 hour 16 minutes he gets a question from Governor Hickenlooper surrounding the risk of AI.


Windows 365! Is it time for a subscription based OS?

Windows 365! Is it time for a subscription based OS?

There has long been rumors that Microsoft may have plans for a subscription model that would encompass more then it’s Office suite, when Windows 10 was still in beta testing their was a buzz surrounding how they would price this new Operating System and many summarized that with Microsoft leaning towards a subscription based service on other key product lines that it was only natural for them to move this model onto the core OS as well. As we all know that didn’t happen and Microsoft chose to give away Windows 10 via free upgrade for consumers, however that upgrade period has been and gone and Windows 10 went back to the standard retail pricing of previous incarcerations. A few builds later and Microsoft executives were out at the last unveiling explaining the new features that we will get to enjoy but this time it kept being referred to as Windows-As-A-Service.

Windows as a Service, well we have heard that before, some people might just say that its marketing jargon but I believe it’s more, Microsoft has now trademarked the term “Windows 365”, does this mean a subscription model is really coming…

For the most part people don’t tend to buy an Operating System and instead opt for buying a new computer with a pre-loaded OS ready for them, but for the ones that do buy the OS this could bring some interesting pricing points and deals into the mix, Microsoft would likely offer a bundle option with it’s current 365 line offering Office, OneDrive and the OS together in one neat package. Or even a gamer pack where they could pair it with an Xbox Live Gold membership and some store credits. Of course none of us can see Microsoft deciding to only offer this model but rather having it as an additional option for its customers, after all a low monthly figure is a lot easier then a couple hundred pounds upfront for a OS.

Your allowed to WannaCry now as it’s not over!

Your allowed to WannaCry now as it’s not over!

Friday is typically a day when everyone’s thought is on the weekend; time to relax, time to escape from work for a precious two days. Friday 12th May 2017 was not one of those days, that Friday the RansomWare game was changed, enter “WannaCry”.

As this particular Friday unraveled computer systems around the world were being taken down; from Telefonica in Spain, the NHS in the UK and FedEx in the US, my own first thoughts when I saw on the news that the NHS was facing major systems outages due to a new RansomWare strain was first “oh great another variant” and second “I wonder how it got in a spread so quickly, it almost looks like a coordinated attack given how much of the NHS has been hit”. Quickly news started to spread about it and the name was out for this new malware “WannaCry” (also known as “WCry” and “WannaDecrypt0r”) and by the evening everyone had heard of it.

WannaCry is just the payload, once that payload is delivered the target system is encrypted and a message is displayed ordering you to pay to get your files back, so the payload itself is a pretty standard form of RansomWare. The intriguing part is the delivery system which makes use of the EternalBlue exploit from the NSA toolkit released last month, via this exploit the payload can then be spread to nearly any Windows devices on the same network as the infected machine. The EternalBlue exploit allows the malware the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, it compromises hosts, encrypting the files stored on them and then demanding a ransom payment in the form of Bitcoin all the while scanning and spreading more allowing the payload to spread quickly around the network with no admin credentials required. An important note to make is that the malware is not just able to spread via internal networks but also externally facing hosts across the internet.

WannaCry primarily utilizes the EternalBlue exploit but is also used in conjunction with the DoublePulsar backdoor. EternalBlue is utilized for the initial exploitation of the SMB vulnerability, if successful then the DoublePulsar backdoor is implanted which in turn is used to install the malware. Microsoft had released security patches for all Operating Systems currently in support and extended support, these were released back in March although this resolves the ExternalBlue exploit this does not necessarily mean you are protected as WannaCry is designed so that if the EternalBlue exploit fails it will proceed and check if the target already has the DoublePulsar back-door installed. This could have been installed prior to the patch by another hacker, even the NSA since this was originally part of their hacking toolkit before ShadowBrokers publicly released it.

On Friday evening the first variant was halted by a British security researcher MalwareTechBlog  who after analyzing some of the code found it pointed to an unregistered domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com) and so decided to buy the domain and sinkhole it. Now maybe I am pessimistic but upon hearing this I immediately thought one thing “it’s not over, this is just the start”, and over the weekend I started to try to gather more and more information on this to understand it, the logical next step for the WannaCry creators is to change the kill-switch or to remove it entirely, without a kill-switch this would be a complete nightmare for all sysadmins around the world.

Throughout the weekend Security Researchers have been working to get hold of some of the samples to break them down and understand them, one researcher from France who uses the twitter handle @benkow_ discovered a new variant, WannaCrypt0r 2.0, he in turn sent it onto anothe IT Security Researcher Matthieu Suiche for an in-depth analysis. Upon analyzing, Matthieu discovered a kill-switch again but this one linked to another domain (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com). Matthieu has since added a post to his blog explaining how he found it and registered the domain.

Working with MalwareTech, Matthieu transferred this additional domain to MalwareTech’s sinkhole, to which MalwareTech posted the below to Twitter.

“Thanks to @benkow_ who found what looks like a new ‘kill switch’ domain and @msuiche who registered it and transferred it to our sinkhole.”

Earlier I thought “it’s not over” and it appears I might be right, the predictions that the fast-spreading WannaCry RansomWare would quickly evolve to get around its domain-based kill switch were everywhere, and, well… the predictions are starting to come true, we are already seeing reports of different domain names being used and a few where researchers have claimed to have found some without any kill-switch whatsoever, (these researchers have since back tracked and it looks like they might have not been using a fresh sample from the wild). I still believe that the kill-switch will be removed, it might not be done by the original creators but by a copycat group but the exploits and code is out there so its just a matter of time.

The taking down of these kill-switches is just a temporary measure; one should expect new variants released and as such security measure should be implemented now to prevent falling victim later.

  1. Do not open an unknown email
  2. Do not download files from an unknown email
  3. Do not click files from an unknown email
  4. Avoid visiting malicious sites
  5. Do not download software and apps from a third-party store/website
  6. Enable “Show hidden file extensions” and only open a file if its the extension you expect
  7. Apply any pending software updates and keep them up-to date
  8. Make sure you are using a reputable security suite/Anti-Virus
  9. Back up your data on a regular basis
  10. Use System Restore to get back to a known-clean state

What additional steps Microsoft users should take?

Microsoft Windows is the ultimate target of this cyber attack since WannaCry exploits a security flaw within the SMB protocol, to mitigate the risk patch MS17-010 should be applied urgently if not already applied, to aid in this please find below the direct links to each download from Microsoft:

Windows XP SP3 //

Windows Vista x86 //

Windows Vista x64 //

Windows 7 x64 //

Windows 7 x86 //

Windows 8 //

Windows 8.1 //

Windows 10 //

Windows 2003 x86 //

Windows 2003 x64 //

Windows 2008 //

Windows 2008R2 //

Windows 2012 //

Windows 2012R2 //

Windows 2016 //

WannaCRY and the DoublePulsar Exlpoit

WannaCRY and the DoublePulsar Exlpoit

As many saw yesterday the NHS faced a major outage and they were not alone, yesterday saw a mass outbreak of a new strain of RansomWare called “WannaCRY” (aka #WanaCypt0r aka #WCry), this may act like a normal RansomWare (in the sense that it encrypts all your files and demands a Ransom) but it does not necessarily get into systems like we have seen before.

On April 14th, 2017 some of you may have seen that group “Shadow Brokers” released a collection of tools that the NSA was using for hacking and taking unrestricted control of systems around the world, they did try to auction this off last year but were unsuccessful and so chose to release it to all. Within this collection of tools is one that has enabled the global attack yesterday, it has been dubbed the name “EternalBlue” and uses the SMBv1 and SMBv2 protocol of which when paired with “DoublePulsar” (Also in the NSA toolkit) DoublePulsar can then inject DLL’s into the target system enabling the attacker to take full control of the target system. To see how it works check out this link.

This is a very serious attack vector and Microsoft did release a patch on March 14th for it (before Shadow Brokers released it to all), the Microsoft patch is MS17-010 of which a breakdown of that can be found here.

Given the seriousness of this attack vector it is imperative to ensure that all of you business and personal Windows devices are patched an upto date, Microsoft have also released patches last night for some EOL (End of Lifetime) Operating Systems to try and minimize the risk to customer systems. The EOL devices added to receive these patches are for Windows Server 2003 (SP2 x64 / x86); Windows XP (SP2 x64, SP3 x86); Windows XP Embedded (SP3, x86); as well as the 32-bit and 64-bit versions of Windows 8.

Extract from Microsoft Statement: “Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download. This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.”

MalwareTech has also released a blog post explaining how he stopped WannaCRY in its tracks to read it follow this link.


Install VMWare ESXi 6 as a Nested VM in Hyper-V

Install VMWare ESXi 6 as a Nested VM in Hyper-V

Windows Server 2016 is out and has been for a while now, and as a lot of people start to delve into it they will notice some new features lurking in the background. One of the not so obvious new features is Nested VM’s; what this means is that you can run a Hypervisor inside a virtual machine.

Some of you may think why would anyone want to run a Hypervisor inside another Hypervisor of which a couple scenarios spring to mind quite quickly:

  1. You may provide hosting services and a customer requests a Hyper-V (or ESXi) server but rather then use another physical server you could allocate the resources on one of your servers and provide them access to the virtual hypervisor, thus giving them a secluded space to make and delete VMs freely without any risk of them affecting your Virtual Infrastructure.
  2. Another as was the case for me I needed to test something on a Mac to confirm compatibility, not having one to hand I decided a VM would be a simple solution but I needed an ESXi and so I decided to spin up an ESXi server as a VM inside one of my Hyper-V servers. This enabled me to quickly confirm my query without needing to find some spare hardware to spin up a physical ESXi box.

As you can see there could be some uses for Nested VMs although I think it will take time to be adopted… even for non-production systems. When I went to set-up this ESXi server I struggled initially to find a guide that was readily available and simple to follow as such I have decided to share what i’ve learnt below:


  1.  A Hyper-V Host:
    1. A Hyper-V host running Windows Server 2016 or Windows 10 Anniversary Update.
    2. A Hyper-V VM running Windows Server 2016 or Windows 10 Anniversary Update (Yes you can do Nested Virtualization inside Nested Virtualization…).
    3. A Hyper-V VM with configuration version 8.0 or greater.
    4. An Intel processor with VT-x and EPT technology.
  2. Enable-NestedVM.ps1 – A PowerShell script for enabling Nested Virtualization in a Hyper-V VM. Click here to get the file from the Microsoft team on GitHub.
  3. VMWare PowerShell CLI installed – I used 6.3 release 1 that I downloaded from here. (Note: you will need a VMWare account, if you don’t have one then you can sign up here.)
  4. ESXi-Customizer-PS.ps1 – A PowerShell script that will download the ESXi 6.0 iso and inject the required network drivers into it for you. I downloaded it from here.

To make matters simpler if you have all three items in the same working folder – mine is “C:\NestedESXi\” then it may be easier to follow my guide, (but of course that is totally up to you).

Phase 1 – Preparing ESXi ISO with Injected Drivers:

As a stock install the ESXi Kernel doesn’t support the “Microsoft Virtual Network Adapter” or indeed the “Legacy Network Adapter”, however as the Legacy Adapter emulates a DECchip 21140 (net-tulip) we can inject the drivers into the ISO thus giving ESXi the ability to use the Legacy Network Adapter.

  1. Install VMWare PowerCLI (simple Next, Next, Next).
  2. Open a PowerShell window
  3. Navigate to your working directory, in my case  CD C:\NestedESXi\
  4. Once in the working directory we can execute the following  .\ESXi-Customizer-PS-v2.5.ps1 -v60 -vft -load net-tulip (Note: the script version may have changed so double check the part as highlighted - ESXi-Customizer-PS-v2.5.ps1).
  5. After a few minutes the ISO will have been downloaded and the net-tulip drivers inserted into it making it ready to use, that ISO is also put straight into the folder that you ran the script from (in my case C:\NestedESXi\).

Phase 2 – Creating the VM

  1. In Hyper-V Manager go to create a new Virtual Machine.
  2. Choose what you want to Name it and make sure the location is where you want the ESXi VM to be stored, then click Next
  3. Select Generation 1 and click Next.
  4.  Set the Memory to at least 4096MB and Uncheck “Use Dynamic Memory for this Virtual Machine” then click Next.
  5. Don’t configure networking now, just click Next since we need to use the Legacy Adapter which can only be selected after the initial config wizard.
  6. Select Create a new virtual hard disk and set the Size to 10GB (this is just going to be the boot disk for the ESXi Hypervisor), click Next.
  7. Select “Install an Operating System from a bootable CD/DVD-ROM” and browse to the ESXi ISO that is in your working directory from Phase 1. 
  8.  Click Next and then Finish to create the VM.  
  9.  Right-Click the new Virtual Machine and select Settings.
  10. Navigate to the Processors tab and change the allocated number of Virtual Processors (it needs to be at least 2) 
  11.  Select the existing Network Adapter and click Remove
  12.  Select the Add Hardware tab and select Legacy Network Adapter then Add
  13.  Select the relevant Virtual Switch so that the ESXi has network access
  14.  Click OK

The majority of the VM configuration is now complete, we just need to enable the Nested Virtualization Extensions for the VM and then we can move onto configuring the ESXi itself.


Phase 3 – Enabling Nested Virtualization

  1. Open a PowerShell console.
  2. Enter the following commands (adjusting the vmName to match the name of your Virtual Machine in my case the name is “NestedESXi”)
    CD C:\NestedESXi\
    .\Enable-NestedVm.ps1 -vmName 'NestedESXi'


  3. Enter Y when asked to confirm any of the changes (Note : the Y is case sensitive).
  4. The Virtual Machine is now ready to have ESXi installed into it.


Phase 4 – Initial Boot of ESXi Virtual Machine

  1. Start up the ESXi Virtual Machine and make sure you’re connected to it so you can see the ESXi boot screen:
  2. Quickly press Tab.
  3. Add the ignoreHeadless=TRUE to the Boot Options
  4. Press Enter.
  5. The ESXi Installation process will now start.
  6. After a few minutes the VMWare ESXi 6 Installer will start up  
  7. You can now go through the ESXi installation process.
  8. You may receive this warning during the installation process but you can ignore it ss_vmwareinhv_esxiinstallerwaring
  9. The installation process will begin 
  10. Once the ESXi installation has completed you will see this message ss_vmwareinhv_esxiinstallercomplete
  11. Make sure the ESXi Installation ISO is ejected prior to rebooting the Virtual Machine
  12. Press Enter to reboot the VM.

Phase 5 – Configure the ESXi Boot Options to persistently use “ignoreHeadless=TRUE”

The last thing we need to do is to set the ESXi VM to persistently use the “ignoreHeadless=TRUE” so that you do not experience any boot issues.

  1. When the ESXi machine reboots, quickly press SHIFT-O to set the boot options.
  2. Add the ignoreHeadless=TRUE to the Boot Options
  3. Press Enter to boot up the ESXi host
  4. Once the ESXi has booted up, press F2.
  5. Enter the root login credentials that were set during the ESXi installation process.
  6. Select Troubleshooting Options and press Enter
  7. Select Enable ESXi Shell and press Enter
  8. Press ALT+F1 to bring up the console
  9. Enter your root credentials.
  10. Enter the following command:
    esxcfg-advcfg --set-kernel "TRUE" ignoreHeadless


  11. Press ALT+F2 to return to the main ESXi screen.

The ignoreHeadless=TRUE setting is now persistent and will be applied at ever boot without manual intervention required.

There you have it a fully functional ESXi Host running inside a Hyper-V Server. Of course Microsoft do support running Hyper-V inside another Hyper-V but neither Microsoft or VMWare formally support running an ESXi server in a nested environment (at least at present) and as such this should not be used for any production purposes but hopefully this has opened some eyes to a hidden feature which hasn’t received much publicity. Hyper-V may finally be catching up to the VMWare party after joining exceptionally late who knows what features Microsoft are looking at for future releases.