CVE-2024-5910: Understanding the Critical Expedition Vulnerability
CVE-2024-5910 is a critical vulnerability in Palo Alto Networks' Expedition tool, widely used for firewall configuration migrations. The flaw, stemming from missing authentication for a critical function, allows attackers with network access to the Expedition interface to gain administrative privileges without authorization. This issue (which has a CVSS score of 9.3!) represents a significant security risk, particularly for organizations using Expedition to manage sensitive configuration data. What is Expedition? Expedition simplifies the migration of firewall configurations from third-party systems to Palo Alto Networks devices. This process often involves importing sensitive credentials, secrets, and configurations, making the tool's security paramount. Exploit details The vulnerability could be exploited by sending crafted requests to reset the administrator password, granting attackers access to the system. Once inside, malicious actors could extract sensitive information, tamper with configurations, or launch further attacks against connected systems. Public proof of concept (PoC) code for exploiting this vulnerability is now available, increasing the urgency of mitigation measures. Which systems are affected? This vulnerability affects Expedition versions before 1.2.92, as detailed inthe advisory from Palo Alto Networks. Systems that expose Expedition to the internet are at heightened risk, with recent scans identifying several instances accessible online. Mitigation steps Update Expedition: Upgrade to version 1.2.92 or later, where the vulnerability has been patched. Restrict access: Ensure that network access to the Expedition tool is limited to trusted hosts and users. There’s no valid reason for the tool to be accessible from untrusted networks. Change credentials: Rotate all administrator passwords, API keys, and firewall credentials processed through Expedition to mitigate potential compromises. Monitor for indicators of compromise (IoCs): Look for unusual activities in logs or changes to configurations, which may indicate exploitation. Recommended content To learn more about this vulnerability by interacting with it in a sandboxed environment, we have both offensive and a defensive labs in the platform. Theoffensive scenarioallows you to perform the exploitation using the PoC, whereas ourdefensive scenarioupskills users by describing how to identify the IoCs – giving participants a deep understanding of how the exploit would appear in their environment. To find these labs and others, simply type the relevant CVE number into theImmersive Labs Search Bar. Final thoughts CVE-2024-5910 underscores the importance of promptly addressing vulnerabilities in tools that manage critical infrastructure configurations. Organizations should also stay on top of new and emerging threats, patch affected systems immediately, and follow best practices for securing administrative tools like Expedition. Using the Immersive Labs platform, organizations can gain a deep understanding of the most critical vulnerabilities and exploits and prepare for them in a practical and safe setting. For more details from the affected vendor, refer to the officialPalo Alto Networks security advisory.27Views0likes0CommentsIntroducing The Human Connection Challenge: Season 1
Starting today we will begin releasing a series of all-new Challenge Labs. Each month you’ll be given the chance to showcase your cybersecurity skills across a range of topics and climb the Season 1 Leaderboard, with the chance to win kudos and rewards along the way.1.1KViews6likes26CommentsWhere to Start? How Assess and Recommend can Unlock your Potential
What is Assess and Recommend? The Assess and Recommend feature was created with the end user in mind and helps determine the most appropriate content based on a learner’s knowledge and experience. The assessment leverages computer adaptive testing (CAT), which is a computer-based assessment that adjusts the difficulty of questions based on how a test taker answers previous questions. CAT is also known as tailored testing because it personalizes the test to the test taker's ability level. Having a more personalized assessment allows for a more personalized recommendation. Customized learning paths – NICE Framework One of the best things about the Assess and Recommend feature is that it creates personalized learning paths aligned to NIST's Workforce Framework for Cybersecurity (NICE Framework). The NIST NICE Framework, or NIST Special Publication 800-181, provides a structured guideline for defining and categorizing cybersecurity work roles, knowledge, skills, and abilities (KSAs). It aims to standardize the language around cybersecurity tasks and roles, enhancing workforce development, training, and alignment between job requirements and individual qualifications. Unlike traditional training programs, which tend to be the same for everyone, Immersive Labs uses assessment data to identify which roles in the NICE framework are most applicable to you. This means users focus on what they need to learn, rather than wasting time on topics they already know. As users upskill, they can retake assessments to receive new recommendations that match their evolving skill level, keeping training relevant and engaging. This dynamic approach is essential in a field where staying current is critical. By aligning with the NIST NICE Framework, the learning paths are tailored to specific roles, such as SOC analyst, pentester, or cyber professional, making the training even more effective. Benefits for organizations and users For organizations, the Assess and Recommend feature is incredibly valuable. It gives a clear picture of the team’s overall skills, strengths, and weaknesses. This information is crucial for planning targeted training, using resources wisely, and strengthening the organization’s cybersecurity defenses. Additionally, by promoting continuous learning and development, organizations can improve employee satisfaction and retention. Employees are more likely to stay with a company that invests in their growth, recognizing the importance of updated skills for job security and career advancement. Where can I Find this Feature? To find this feature, click the Upskill drop-down and navigate to Recommended Activities. Here, you’ll see a growing list of the assessments currently available in the platform. Share your Thoughts After completing your first assessment, tell us what you got as a recommendation in the comments below and share how your upskilling journey is going!100Views6likes3CommentsFace Your Fears this Halloween and Return to Haunted Hollow
🧛♀️ Brace yourselves, brave souls! The haunted season has returned, and with it, an all-new cybersecurity adventure—Halloween 2024: Return to Haunted Hollow. The sinister spirits of cyberspace await you in this terrifying sequel to our 2023 Halloween collection, The Haunted Hollow. This is no mere challenge—it’s an eerie expedition through 9 haunted labs designed to test your skills and sanity alike. Whether you're a seasoned crypt keeper of the cybersecurity world or a curious newcomer, there's a fright waiting for everyone in this immersive capture-the-flag experience! 🔮 From unraveling encrypted secrets to hunting ghosts in packet captures, every lab holds the key to defeating the horrors lurking within. Can you escape the Haunted Helpdesk, break the Encryption Enigma, or uncover the Spooky, Scary, Silly Snaps? Each step you take deeper into this digital graveyard will challenge your mind and test your courage, until you can break out of the park through the Emergency Exit! 🕷️ With a difficulty ranging from approachable to spine-chillingly tough, it’s not about conquering all the horrors—just enough to emerge from the shadows with your sanity intact. Gather your wits, grab your digital lantern, and get ready to explore the most terrifying corners of cyber horror! 🧛 Release Date: October 16th ⌛ Estimated Time to Complete: 5 hours 👻 Labs: 9, each more terrifying than the last 🎃 Difficulty Range: 2-6 🧟 Collection Type: Challenge Lab details Note: These labs can be completed in any order, but we have ordered them from most accessible to most challenging. The final lab can only be completed after the other labs have been completed. The prequel collection doesn’t need to be completed before you can dive into these labs, but if you're craving some extra chills and thrills, feel free to haunt them first! Phishing for Treats Difficulty: 2 Skills required: None – this lab should be accessible to all audiences What's involved: This lab is a new phishing emails lab, with Halloween-themed emails. Users have to identify whether the email is 'safe' or 'spam' based on indicators from the emails. PCAP Pandemonium Difficulty: 4 Skills required: Packet capture analysis (Wireshark) What's involved: In this lab, users will need to analyse multiple packet captures using Wireshark to identify answers to the questions from the network traffic. Delving Deeper Difficulty: 4 Skills required: Web application enumeration What's involved: Users will need to explore a web application in order to gain access to a computer terminal within the application. From there, they'll need to interact with a simple API. Encryption Enigma Difficulty: 5 Skills required: Modern encryption/encoding techniques (Knowledge of how to use CyberChef will be useful) What's involved: Users will need to identify the correct encoding and encryption technique used to obfuscate each message in an application, before decrypting/decoding each message. Confusing Code Difficulty: 5 Skills required: Linux enumeration techniques, reverse engineering (particularly using Ghidra) What's involved: Users will need to use Linux enumeration techniques to identify a binary, before reverse engineering that binary to figure out how to exploit it. Haunted Helpdesk Difficulty: 5 Skills required: Linux enumeration and privilege escalation techniques What's involved: Users will be dropped into a restricted environment. From there, they'll need to figure out how to escape, and escalate their privileges to root. Fearsome Forensics Difficulty: 6 Skills required: OSINT, web application enumeration, modern encryption techniques, steganography What's involved: In this lab, the user will need to explore the web application and discover clues using OSINT techniques. These clues will then be used to decipher encrypted messages, finally revealing how to extract a message hidden inside an image. Spooky, Scary, Silly Snaps Difficulty: 6 Skills required: AWS capabilities (particularly S3 and AWS permissions), Python scripting What's involved: Users will need to enumerate public S3 resources to identify credentials for an AWS account. From here, they'll need to interact with the AWS console, and identify a way of escalating their privileges on AWS. Emergency Exit Difficulty: 1 Skills required: None – this lab is a culmination of the preceding labs within the collection, but no specific skills are required to complete this lab. What's involved: In each of the labs in this collection, users would have been asked to make a note of a code. In this lab, they need to submit each of these codes. Share Your Thoughts Did you escape the Haunted Hollow? We'd love to hear from you! Remember you can post in our Help & Support Forum for hints, tips & collaboration from your fellow community of experts.703Views12likes17CommentsCVE-2024-30051: What You Need to Know
What is CVE-2024-30051? CVE-2024-30051 is a vulnerability in the Microsoft Windows Desktop Window Manager (DWM) Core Library that allows attackers to gain SYSTEM-level privileges and execute arbitrary code, giving them extensive control over the compromised system. Which systems are affected? CVE-2024-30051 impacts a broad range of Windows systems, including: Windows 10 (various versions) Windows 11 (various versions) Windows Server 2016 and later versions For a precise list of affected product configurations, check out the NIST National Vulnerability Database. How could bad actors use this security issue? Attackers have already exploited CVE-2024-30051 in real-world attacks, using it to distribute Qakbot malware via malicious email attachments or compromised websites. Once the malicious code is executed, the vulnerability is used to escalate privileges, allowing deep system access for installing more malware, stealing sensitive data, or taking full control of the system. How to protect your organisation The simplest and most obvious method is to apply the latest Windows security updates as soon as they become available. Microsoft released patches addressing CVE-2024-30051 as part of its May 2024 Patch Tuesday updates. Organisations and users are strongly advised to apply these patches immediately to protect their systems from potential exploitation. To verify if you've been affected by this vulnerability, analyse your logs for suspicious activity. Specifically, look for DLLs loaded from locations outside of system32 by legitimate Windows processes, as this may indicate the CVE-2024-30051 exploit has been used to load a malicious DLL. Additionally, to mitigate against future vulnerabilities, educate users about the risks of phishing and malware. Qakbot is often spread through email attachments or malicious websites. Educate users about the risks of opening attachments from unknown senders or clicking on suspicious links in emails. Conclusion CVE-2024-30051 highlights the importance of cybersecurity awareness and proactive measures as it can be mitigated with organisational cyber awareness and regular patching policies. As always, staying informed about potential vulnerabilities is crucial to mitigating such risks. Recommended content If you’d like to learn how to detect this vulnerability in a sandboxed environment, check out our CVE-2024-30051 lab. In this lab, you'll threat hunt through a SIEM system to identify indicators of compromise (IoCs). Don’t forget you can seek help and collaboration with this lab content in our Help & Support Forum! Share your thoughts If CVE-2024-30051 has impacted your organization, we’d love to hear about your steps to mitigate the risk. Do you have any recommendations for preparing for similar vulnerabilities in the future?52Views1like0CommentsCozy Bear? Not So Cozy…
When you think of a “cozy bear”, you might think of Winnie the Pooh or a faux fur throw by the fire, not a criminal hacker group that’s been active since 2008. There was an intrusion to TeamViewer, the most popular remote access software, on 26 June 2024. Evidence points accountability towards Russia’s Midnight Blizzard group, also known as APT29, the Dukes, and the Cozy Bear group. Not exactly the type of behavior you’d expect from a cozy bear, right? The Cozy Bear group has been observed using tools and techniques that target groups like government,healthcare and energy organizations. Its most common techniques include scanning (T1595.002) and exploitation (T1190) against vulnerable systems. It’s also associated with the notorious SolarWinds incident in 2021 that resulted in the first ever SEC charges against a CISO. It’s safe to say this bear isn’t hibernating, it’s on the prowl. All honey pots aside, Immersive Labs has a dedicated Threat Actor Lab for APT29 and a wealth of content around other attack types perpetuated by this malicious threat group. Ensure your teams aren’t caught in a bear trap by exploring or revisiting content designed specifically around this cyber espionage group: APT29: Threat Hunting with Elasticsearch Successful cyber threat hunting relies on a combination of information from cyber threat intelligence to detailed event logs via endpoints, network devices, and security tools. This lab collection gives you an opportunity to explore some of these concepts through the lens of an emulated APT29 attack scenario. APT29: Threat Hunting with Splunk These labs follow the same attack path as the above collection, but with different tactical and system focuses, providing an opportunity to explore concepts through the lens of an emulated APT29 attack scenario with Splunk. Brute Ratel: Extracting Indicators of Compromise Brute Ratel C4 is a commercial command and control (C2) framework for adversary simulation and red team engagements. This tool has been observed in the wild being used by nation-state actors, specifically APT29. The following labs are also based on this threat group’s known tactics, techniques, and procedures (TTPs) and exploits. Check them out: CVE-2019-19781 (Citrix RCE) – Defensive CVE-2019-19781 (Citrix RCE) – Offensive CVE-2020-5902 (F5 BIG-IP) – Defensive CVE-2020-5902 (F5 BIG-IP) – Offensive We may be having fun here, but your cyber readiness is no joke. Make sure your teams are up to date on the newest CVEs and that they’re well versed on established threat actors and attack vectors – so your organization stays out of the news 🙅♀️🐻📰 Share your thoughts! Do you like bear-themed articles? Do you plan to assign or bookmark these recommended labs? We’re beary eager for your feedback in the comments below!158Views9likes4CommentsUnderstanding CVE-2024-3094: A Major Software Security Issue in XZ Utils
What is CVE-2024-3094? Recently, a critical security problem, known as CVE-2024-3094, was found in the XZ Utils library. XZ Utils is a set of open-source command-line tools and libraries for lossless data compression on various Linux systems. If your systems are running Linux or Mac, your OS likely uses it in the background when unpacking archives, and even if you’re using Windows, most of your services will use XZ Utils. This code allowed for SSH backdoor access and remote code execution on affected systems, earning a maximum CVSS score of 10. The harmful code was hidden within the XZ Utils software by a ‘trusted’ developer, starting with version 5.6.0. This developer was actually a bad actor who gained the trust of the sole maintainer of the code over many years of social engineering with multiple fake identities created to convince the maintainer that they were trustworthy. To learn more, check out the emails on research.swtch.com . Which Linux systems are affected? The compromised versions of XZ have been found in certain versions of Debian, Kali Linux, OpenSUSE, Arch Linux, and Fedora: Debian: Unstable/Sid versions from 5.5.1alpha-0.1 to 5.1.1-1 Kali Linux: Systems updated between March 26-29, 2024 OpenSUSE: Rolling releases Tumbleweed and MicroOS between March 7-28, 2024 Arch Linux: Versions 2024.03.01, VM images from late February to late March 2024 Fedora: Rawhide and Fedora 40 Beta Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 How could this security issue be used by bad actors? Attackers could exploit this vulnerability by taking advantage of the backdoor inserted into the XZ Utils library. With this vulnerability, they can: Exploit the backdoor: Using the backdoor, attackers could bypass SSH authentication, allowing them to gain access to the system without needing valid credentials. Elevate privileges: Once inside, attackers could attempt to gain higher-level access, enabling them to control more parts of the system. Establish persistence: Attackers might install persistent malware to maintain access to the compromised system. Spread laterally: From the initial compromised system, attackers could move laterally within the network, targeting other systems and spreading their control. Steal sensitive data: Attackers could access and exfiltrate sensitive data, such as personal information, financial records, or intellectual property. Disrupt operations: By tampering with critical services or data, attackers could disrupt business operations, leading to downtime and financial losses. Deploy ransomware: Attackers could encrypt critical data and demand a ransom for its decryption, causing further damage and financial loss. How to protect your systems To protect your systems from this vulnerability, you should verify if your systems are using the compromised versions of XZ Utils and keep up with the latest advice from vendors. If your systems contain the mentioned versions, make sure you update to at least version 5.6.1-2. You’ll also want to ensure proper security hygiene by keeping all other software up to date with the latest security patches. Finally, make sure your IT and security teams understand this vulnerability, are able to fix it, and know how to respond to potential threats. Conclusion CVE-2024-3094 highlights the importance of securing the software supply chain. By understanding this security issue and taking proactive steps, you can better protect your systems from sophisticated attacks. Keep your systems updated, improve your organizational resilience, and consult with your software vendors for the latest security information. Recommended content If you’d like to know more, we have an XZ Utils Lab in the latest CVEs collection. In the lab, you'll take on the role of a CIRT analyst researching backdoor deployment techniques. Share your thoughts If this vulnerability impacted your organization, what steps did you take to fix it, and what changes have you made to prevent future issues? Comment and collaborate with others in the comments!84Views2likes0Comments