New CTI Labs: Palo Alto Expedition Critical Vulnerabilities
CVE-2024-5910 (Palo Alto Expedition) - Defensive Identify signs of exploitation in event logs and extract indicators of compromise CVE-2024-5910 (Palo Alto Expedition) - Offensive Use publicly available Proof of Concept code to exploit the vulnerabilities gaining access to sensitive data What is Expedition and Why should you care? The flaws were found in Palo Alto Networks' Expedition solution, which helps migrate configurations from other Checkpoint, Cisco, or supported vendors. This application can be exploited to access sensitive data, such as user credentials, that can help take over firewall admin accounts significantly impacting the security of an organisations network. These labs provide steps to identify any potential signs of exploitation and detail how the exploit functions. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Red Teams Pen testers Offensive Security professionals Complete CVE-2024-5910 (Palo Alto Expedition) - Defensive here Complete CVE-2024-5910 (Palo Alto Expedition) - Offensive here18Views4likes0CommentsPatch Tuesday October 2024
CVE-2024-43572 - 7.8 - Microsoft Management Console Remote Code Execution Vulnerability Top of the list for patching should be a vulnerability in the Microsoft Management Console. While the CVSS score is not the highest in the patch notes, it is being actively exploited in the wild by threat actors and warrants immediate attention. While the notes say “Remote code execution” this vulnerability requires user interaction and some degree of social engineering. To exploit this vulnerability an attacker must craft a malicious .msc file that, if opened, will run arbitrary code or commands that allow a threat actor to compromise the host. This file would typically be sent via email as an attachment or as a link to a download. After patching, security teams and threat hunters should proactively check historical logs for indicators of these files being sent and received. Organizations not able to deploy patches quickly across their organization should add additional monitoring and blocking rules targeting these file extensions. The fix deployed by Microsoft prevents untrusted msc files from being executed. CVE-2024-43609 - 6.5 - Microsoft Office Spoofing Vulnerability While not actively exploited in the wild, CVE-2024-43609 should be one to pay closer attention to as Micorosft has listed this one as “Exploitation More Likely”. This vulnerability affects Microsoft office and allows an attacker to gain access to the NTLM credentials of any user interacting with the documents. If an attacker is able to read the NTLM hash, they can use this in a common attack known as “Pass the Hash,” where the attacker could authenticate as the user without knowing their password, which is where the “spoofing” part of the vulnerability description comes from. This type of attack is frequently exploited by threat actors in the wild, leading to remote exploitation. Organizations should follow Microsoft Guidance on blocking outbound SMB ports and configuring Network security policies related to NTLM traffic. CVE-2024-43573 - 6.5 - Windows MSHTML Platform Spoofing Vulnerability This vulnerability has been discovered within the MSHTML platform used by certain Microsoft applications, including Internet Explorer mode in Microsoft Edge. The vulnerability allows an attacker to trick users into viewing malicious web content, which could appear legitimate due to the way the platform handles certain web elements. Once a user is deceived into interacting with this content (typically through phishing attacks), the attacker can potentially gain unauthorized access to sensitive information or manipulate web-based services. Importantly, this attack requires no special permissions or knowledge of the user’s system, making it relatively easy for cybercriminals to execute. Rated at 6.5 out of 10 in severity, the vulnerability has already been exploited by attackers, making it a serious concern for large organisations that still rely on legacy web applications within their environment. For example, many larger and more mature organizations may still use Internet Explorer due to the need for compatibility with certain internal applications. Despite Internet Explorer being retired on many platforms, its underlying MSHTML technology remains active and vulnerable. This creates a risk for employees using these older systems as part of their everyday work, especially if they are accessing sensitive data or performing financial transactions online. To address this issue, Microsoft includes fixes for the MSHTML platform in its Internet Explorer Cumulative Updates. It’s crucial for businesses, especially those with legacy systems, to ensure they apply these updates regularly to remain protected from potential attacks. CVE-2024-43582 - 8.1 - Remote Desktop Protocol Server Remote Code Execution Vulnerability This use-after-free vulnerability in the Remote Desktop Protocol (RDP) service affecting Windows Server and Client from versions 2019 and 10 (1809) onwards which can lead to Remote Code execution, has been patched by Microsoft. Little information is known about the vulnerability, except that it can be exploited by an unauthenticated attacker sending a malformed packet to a RPC host. This could lead to execution with the same permissions as the RPC service. It is assessed that if this description refers to the RPCSS service that whilst the service runs with the permissions of NETWORK SERVICE, privilege to SYSTEM after the fact would be trivial due to permissions afforded to that account and the use of ‘potato’ exploits. It should be assumed that any successful exploitation of this vulnerability will lead to complete compromise of the targeted system and in environments where RDP is heavily used to system management, or where Remote Desktop Gateway (RDG) is used (RDG does allow RPC interaction via HTTP/S) to give users access to secure environments, patching should be considered a priority. Vulnerabilities in RDP are quite rare in nature and Microsoft believes that exploitation is difficult and less likely, but now that details of an issue have been released and experts begin the process of reversing the newly released patches, however it may only be a matter of time before in the wild exploitation is seen. An exploit of this nature will be highly prized by Ransomware Groups, because it allows an attacker total compromise of a system without knowledge of any credentials and, could help them reach high value targets, such as Domain Controllers. It can be used to launch the destructive phase of an attack across the entire domain. CVE-2024-43583 - 6.8 - Winlogon Elevation of Privilege Vulnerability This vulnerability has been identified in the Winlogon process. Winlogon is responsible for handling secure user logins in Windows. This vulnerability, rated 6.8 out of 10 in severity, allows an attacker with local access to a machine to elevate their privileges to SYSTEM level, which is the highest level of access in Windows. This could enable the attacker to take full control of the affected system, manipulate settings, access sensitive data, or install malicious software. Although it is quite uncertain due to the lack of information provided by Microsoft, the local nature of this vulnerability means that the attacker needs physical access to the machine or to be already logged in, making it similar to kiosk breakout scenarios where restricted environments can be bypassed. This makes it a concern for public kiosks, shared computers, or any device that restricts user access but could still be exploited by someone with local access. To protect against this vulnerability, it’s important to ensure that a Microsoft first-party Input Method Editor (IME) is enabled on your device. IMEs are used to input complex characters during the sign-in process, and third-party IMEs could be vulnerable to attack. This is particularly relevant when installing language packs for your keyboard, as some third-party IMEs can be exploited during login. By using a Microsoft IME, one can minimize the risk of this vulnerability being exploited during the sign-in process.56Views4likes2CommentsCozy Bear? Not So Cozy…
When you think of a “cozy bear”, you might think of Winnie the Pooh or a faux fur throw by the fire, not a criminal hacker group that’s been active since 2008. There was an intrusion to TeamViewer, the most popular remote access software, on 26 June 2024. Evidence points accountability towards Russia’s Midnight Blizzard group, also known as APT29, the Dukes, and the Cozy Bear group. Not exactly the type of behavior you’d expect from a cozy bear, right? The Cozy Bear group has been observed using tools and techniques that target groups like government,healthcare and energy organizations. Its most common techniques include scanning (T1595.002) and exploitation (T1190) against vulnerable systems. It’s also associated with the notorious SolarWinds incident in 2021 that resulted in the first ever SEC charges against a CISO. It’s safe to say this bear isn’t hibernating, it’s on the prowl. All honey pots aside, Immersive Labs has a dedicated Threat Actor Lab for APT29 and a wealth of content around other attack types perpetuated by this malicious threat group. Ensure your teams aren’t caught in a bear trap by exploring or revisiting content designed specifically around this cyber espionage group: APT29: Threat Hunting with Elasticsearch Successful cyber threat hunting relies on a combination of information from cyber threat intelligence to detailed event logs via endpoints, network devices, and security tools. This lab collection gives you an opportunity to explore some of these concepts through the lens of an emulated APT29 attack scenario. APT29: Threat Hunting with Splunk These labs follow the same attack path as the above collection, but with different tactical and system focuses, providing an opportunity to explore concepts through the lens of an emulated APT29 attack scenario with Splunk. Brute Ratel: Extracting Indicators of Compromise Brute Ratel C4 is a commercial command and control (C2) framework for adversary simulation and red team engagements. This tool has been observed in the wild being used by nation-state actors, specifically APT29. The following labs are also based on this threat group’s known tactics, techniques, and procedures (TTPs) and exploits. Check them out: CVE-2019-19781 (Citrix RCE) – Defensive CVE-2019-19781 (Citrix RCE) – Offensive CVE-2020-5902 (F5 BIG-IP) – Defensive CVE-2020-5902 (F5 BIG-IP) – Offensive We may be having fun here, but your cyber readiness is no joke. Make sure your teams are up to date on the newest CVEs and that they’re well versed on established threat actors and attack vectors – so your organization stays out of the news 🙅♀️🐻📰 Share your thoughts! Do you like bear-themed articles? Do you plan to assign or bookmark these recommended labs? We’re beary eager for your feedback in the comments below!128Views9likes4CommentsNew CTI Lab: CUPS Remote Code Execution Vulnerability – Defensive
You may have heard all the hype about the latest Linux RCE that was supposed to be released on the 6th October. It got leaked and released early! At the actual time of release, there was no active patch; however, a few hours later, there was a patch sent out. The researcher who released it says it is a 9.9 in CVSS (meaning terrifying), but at Immersive Labs, we have likened it more to around 6.8. While the hype is not worth it for this particular vulnerability, there are 300,000 exposed machines on the internet that could be affected by this. What is CVE-2024-47177 – CUPS RCE? It is based on a vulnerability from over a decade ago that was accidentally reintroduced when porting code to a new repository. It takes advantage of the CUPS service, which is Linux's way of printing! There is a default service open to the world running on port 631, meaning anyone can connect and begin this attack. The full RCE is a bit more nuanced as it requires some interaction by a user, but it is still worth knowing due to the hype it has caused. Why should you care? Due to its low complexity and potential reach, this vulnerability might worry our customers who use many Ubuntu Desktops in their business networks. Therefore, we have created a lab on how to threat hunt for this vulnerability and the logging that gets produced once the exploit has been successfully executed. Who is it for? Incident responders SOC analyst Malware reverse engineers CTI Analysts Threat Hunters Complete the CUPS Remote Code Execution Vulnerability Lab here51Views3likes1CommentNew CTI Lab: CVE-2024-38112 and CVE-2024-43461 (Windows MSHTML Platform Spoofing): Defensive
On the 15th of July, 2024, Trend Micro released a piece of research following a threat actor named Void Banshee. Void Banshee was observed in May 2024 running a kill chain to deploy the Atlantida InfoStealer. To achieve this, they exploited two vulnerabilities in the Microsoft HTML engine. One vulnerability went un-patched for months! Why have we created this content? These two vulnerabilities, one of which was patched as of September's Patch Tuesday, have been updated by Microsoft and CISA Kev as actively exploited in the wild. Void Banshee, the threat actor who used these vulnerabilities in an attack chain earlier this year, has been seen to attack companies in Europe, North America, and Southeast Asia. Customers need to be aware of how to alert to threats shown by these vulnerabilities and how to ensure they don't fall victim to them. What are we publishing? All customers on a CyberPro License have immediate access to this new lab. CVE-2024-38112 and CVE-2024-43461 (Windows MSHTML Platform Spoofing): Defensive Who is this content for? This lab is focused on upskilling and increasing the defensive capabilities of the following roles: SOC Analysts Incident Responders Threat Hunters Malware Analysts25Views2likes0CommentsUnderstanding CVE-2024-3094: A Major Software Security Issue in XZ Utils
What is CVE-2024-3094? Recently, a critical security problem, known as CVE-2024-3094, was found in the XZ Utils library. XZ Utils is a set of open-source command-line tools and libraries for lossless data compression on various Linux systems. If your systems are running Linux or Mac, your OS likely uses it in the background when unpacking archives, and even if you’re using Windows, most of your services will use XZ Utils. This code allowed for SSH backdoor access and remote code execution on affected systems, earning a maximum CVSS score of 10. The harmful code was hidden within the XZ Utils software by a ‘trusted’ developer, starting with version 5.6.0. This developer was actually a bad actor who gained the trust of the sole maintainer of the code over many years of social engineering with multiple fake identities created to convince the maintainer that they were trustworthy. To learn more, check out the emails on research.swtch.com . Which Linux systems are affected? The compromised versions of XZ have been found in certain versions of Debian, Kali Linux, OpenSUSE, Arch Linux, and Fedora: Debian: Unstable/Sid versions from 5.5.1alpha-0.1 to 5.1.1-1 Kali Linux: Systems updated between March 26-29, 2024 OpenSUSE: Rolling releases Tumbleweed and MicroOS between March 7-28, 2024 Arch Linux: Versions 2024.03.01, VM images from late February to late March 2024 Fedora: Rawhide and Fedora 40 Beta Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 How could this security issue be used by bad actors? Attackers could exploit this vulnerability by taking advantage of the backdoor inserted into the XZ Utils library. With this vulnerability, they can: Exploit the backdoor: Using the backdoor, attackers could bypass SSH authentication, allowing them to gain access to the system without needing valid credentials. Elevate privileges: Once inside, attackers could attempt to gain higher-level access, enabling them to control more parts of the system. Establish persistence: Attackers might install persistent malware to maintain access to the compromised system. Spread laterally: From the initial compromised system, attackers could move laterally within the network, targeting other systems and spreading their control. Steal sensitive data: Attackers could access and exfiltrate sensitive data, such as personal information, financial records, or intellectual property. Disrupt operations: By tampering with critical services or data, attackers could disrupt business operations, leading to downtime and financial losses. Deploy ransomware: Attackers could encrypt critical data and demand a ransom for its decryption, causing further damage and financial loss. How to protect your systems To protect your systems from this vulnerability, you should verify if your systems are using the compromised versions of XZ Utils and keep up with the latest advice from vendors. If your systems contain the mentioned versions, make sure you update to at least version 5.6.1-2. You’ll also want to ensure proper security hygiene by keeping all other software up to date with the latest security patches. Finally, make sure your IT and security teams understand this vulnerability, are able to fix it, and know how to respond to potential threats. Conclusion CVE-2024-3094 highlights the importance of securing the software supply chain. By understanding this security issue and taking proactive steps, you can better protect your systems from sophisticated attacks. Keep your systems updated, improve your organizational resilience, and consult with your software vendors for the latest security information. Recommended content If you’d like to know more, we have an XZ Utils Lab in the latest CVEs collection. In the lab, you'll take on the role of a CIRT analyst researching backdoor deployment techniques. Share your thoughts If this vulnerability impacted your organization, what steps did you take to fix it, and what changes have you made to prevent future issues? Comment and collaborate with others in the comments!70Views2likes0CommentsNew CTI Lab: CVE-2024-30051 (Windows DWM Core Library Elevation of Privilege) – Defensive
CVE-2024-30051 is a zero-day vulnerability discovered in the Windows Desktop Window Manager (DWM) Core Library. Patched as part of the Microsoft patch Tuesday releases, this vulnerability has been observed to be used by threat actors and malware from May 2024 to as recently as September 2024, particularly QakBot. Why have we created this content? Although this vulnerability was reported in May 2024 and patched quickly, exploitation by large malicious threat actors is still being seen. This privilege escalation exploit can be simple to spot for defensive teams. Additionally, a Proof of Concept (PoC) has recently been released, months after the patch, which explains this vulnerability in great detail and comes with the hypothesis that there will be an uptick in exploitation – often is the case when detailed PoCs are released for vulnerabilities. What are we publishing? All customers on a CyberPro License have immediate access to this new lab. CVE-2024-30051 (Windows DWM Core Library Elevation of Privilege) – Defensive Who is this content for? These labs are focused on upskilling and increasing the defensive capabilities of the following roles: SOC Analysts Incident Responders Threat Hunters Malware Analysts50Views3likes1CommentPatch Tuesday September 2024
CVE-2024-43491 - 9.8 - Microsoft Windows Update Remote Code Execution Vulnerability Kev Breen, Senior Director Threat Research, Immersive Labs Top of the list for patches this month is a CVE in the windows update mechanism. Tracked as CVE-2024-43491 this one comes in at a 9.8 out of 10 and is marked as “Exploitation Detected”. This specific vulnerability impacted the Windows update system in a way that security patches for some components were rolled back to a vulnerable state and will have remained in a vulnerable state since March 2024. Some of these components were known to be exploited in the wild in the past, meaning attackers could still exploit them despite Windows update saying it is fully patched. The root cause of this issue is that on specific versions of Windows 10, the build version numbers that are checked by the update service were not properly handled in the code. The notes from Microsoft say that the “build version numbers crossed into a range that triggered a code defect.” This implies that there was an integer overflow vulnerability that meant optional components were detected as “Not Applicable” and therefore reverted back to their original unpatched versions. There are a lot of caveats to this one, so it’s worth checking the Official Notes. The short version is that Some versions of Windows 10 with optional components enabled was left in a vulnerable state. CVE-2024-38217 - 5.4 - Windows Mark of the Web Security Feature Bypass Vulnerability Kev Breen, Senior Director Threat Research, Immersive Labs Mark of the Web (MoTW) has been a popular target for threat actors in recent months and this month is no different. Mark of the Web is a feature in Microsoft that tags files downloaded from the internet and if a user tries to run a file with this mark then the operating system will step in to warn or block the action from taking place. It is important to note that this vulnerability alone is not enough for an attacker to compromise a user’s workstation and would be used in conjunction with something like a spear phishing attack that delivers a malicious file. In-depth defence is the key mitigation here; organizations should not rely solely on features like Mark of the Web to protect them. To exploit this vulnerability, an attacker needs to host a specially crafted file on a web server and then socially engineering the user into opening the file typically by sending a link via email or message service. CVE-2024-38014 - 7.8 - Windows Installer Elevation of Privilege Vulnerability Ben McCarthy, Lead Cyber Security Engineer, Immersive Labs This vulnerability has been exploited in the wild and has been assigned a CVSS score of 7.8. Much like many of the other Windows Installer elevation of privilege vulnerabilities such as the InstallerFileTakeOver vulnerability, when an attacker exploits it, they will gain full SYSTEM level privileges. As with many of the previous vulnerabilities that took advantage of the Windows Installer service, attackers will continue to use this vulnerability for the foreseeable future, therefore it is worth patching as soon as possible. Many of the versions this vulnerability affects is the new to release WIndows 11 24H2, however if you have any Copilot+ devices, they are now publicly available and will need to be patched to defend against this vulnerability. CVE-2024-38226 - 7.3 - Microsoft Publisher Security Feature Bypass Vulnerability Ben McCarthy, Lead Cyber Security Engineer, Immersive Labs This vulnerability has been exploited in the wild and has been assigned a CVSS score of 7.3. Due to this being a security feature bypass, threat actors will likely use this vulnerability as part of their attack chain in Microsoft Publisher phishing documents. An attack could bypass the Office suites macro warning which is used as a last line of defence for users to keep them from enabling macros in documents - a common attack method used by threat actors around the world. If this warning does not show the successful phishing attempts will likely increase. CVE-2024-38220 - 9.0 - Azure Stack Hub Elevation of Privilege Vulnerability Ben McCarthy, Lead Cyber Security Engineer, Immersive Labs Azure Stack Hub is a hybrid cloud platform from Microsoft that allows you to run Azure services from your own data center. It essentially extends Azure's public cloud capabilities to on-premises infrastructure, enabling organizations to build, deploy, and manage applications in a consistent way across both public and private clouds. This vulnerability means an attacker can gain unauthorized access to a business’s internal resources, content, and applications; however, it is required to be authenticated and also wait for a victim user to initiate a connection - likely by accident or through social engineering. CVE-2024-38241 & CVE-2024-38242 -- Kernel Streaming Service Driver Elevation of Privilege Vulnerability Ben McCarthy, Lead Cyber Security Engineer, Immersive Labs Kernel vulnerabilities like CVE-2024-38241 often arise due to flaws in low-level system components such as device drivers, including the Kernel Streaming Service Driver, which is responsible for handling audio and video streaming in Windows. The Windows kernel is a critical part of the operating system, managing core system resources and ensuring secure interactions between hardware and software. Vulnerabilities in the kernel or its drivers can be particularly dangerous because they typically run with high privileges, meaning that exploiting these flaws could allow attackers to bypass security controls, execute arbitrary code, or escalate their privileges to gain control over the entire system. Kernel streaming service drivers, in particular, are designed to efficiently process and stream multimedia data, making them a common target for vulnerabilities due to their complexity and the need for real-time processing. Issues such as improper input validation (like in CVE-2024-38241) are common, where malicious inputs can be exploited to manipulate the kernel's behavior, leading to the elevation of privileges.41Views3likes0CommentsNew CTI Labs: Threat Actor - Peach Sandstorm and Tickler Malware
Peach Sandstorm is a suspected Iranian state-sponsored threat actor that primarily targets organizations in the satellite, communications equipment, oil and gas, and federal and state government sectors in the United States and the United Arab Emirates. Why have we created this content? Microsoft recently reported on this threat actor evolving its tradecraft and using a new multi-stage backdoor called Tickler. This threat actor also uses password-spraying to obtain credentials to Azure services to persist and repurpose them into command and control infrastructure. Targets of interest involve the United States, Western Europe, and the United Arab Emirates. What are we publishing? All customers on a CyberPro License have immediate access to these new labs. Threat Actors: Peach Sandstorm Tickler Malware: Analysis Who is this content for? These labs are focused on upskilling and increasing the defensive capabilities of the following roles: SOC Analysts Incident Responders Cyber Threat Intelligence Analysts Threat Hunters Malware Analysts54Views3likes1Comment