Lab of the Day

Every day, we’re revisiting a standout lab from the past year—highlighting its impact and the skills it helped build, whilst also introducing you to the experts who built it.

Today's recommendation is from Kev Breen, Immersive Labs’ Senior Director, Cyber Threat Research. Kev said: CVE-2024-0012 and CVE-2024-9474 (Palo Alto PAN-OS) – Defensive was spun up in less than 24 hours after it became public on November 19th that threat actors were discovered actively exploiting a set of vulnerabilities in the Palo Alto operating system for its security devices. These exploits allowed threat actors to gain full control over these devices and pivot to the internal organization network.

By November 20th, the CTI team at Immersive reviewed all available information and created two labs replicating the attack and TTPs, enabling organizations to apply the skills to their own networks. The team worked quickly to understand the vulnerabilities, replicate the attacks, and create practical labs, with special thanks to the QA team for allowing us to release it in under 24 hours.

Blog of the Day

Speaking of Kev and the Threat Research Team, did you know that every month they review Microsoft’s Patch Tuesday updates and provide you with the key insights you need to protect your organisation. This month's Kevin Breen, BenMcCarthyRobReeves and NatSilva  have provided notes and guidance on the following in Patch News Day December 2024:

CVE-2024-49138 - 7.8: A flaw in the Windows Common Log File System Driver Elevation of Privilege Vulnerability which could have allowed threat actors to move laterally across the network and avoid detection by a blue team.

CVE-2024-49114 - 7.8: A Windows Cloud Privilege Escalation vulnerability that could enable the attacker to disable security tools.

CVE-2024-49093 - 8.8: A Windows Resilient File System (ReFS) Elevation of Privilege  which left the Windows system vulnerable to attackers to execute code or access resources.

CVE-2024-49117 - 8.8: A Hyper-V Remote Code Execution Vulnerability which may have allowed the triggering of malicious code in the context of the server's account through a network call.

CVE-2024-49112 - 9.8: A Windows Lightweight Directory Access Protocol Remote Code Execution which could be exploited by an attacker who has authenticated access to a guest virtual machine.

CVE-2024-49122 - 7.8:  A significant Message Queueing Remote Code Execution flaw that can allow for an unauthenticated attacker with network access to gain code execution on the underlying server.