Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness
This event has now ended. You can watch the recording here. --- 📢 Today's the day! Our exclusive Community webinar'Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness' will be live at 3pm GMT (10am EST). Here's a few tips to help you get the most from your experience: 🚀 This is a live, interactive session. Make sure you join the session promptly in order to get the full experience. 🔗 To join today's session, visit theevent page or simply use the Zoom link. ❓You’ll also have the opportunity to participate in a Q&A with our expert panel so you can leave with an action plan to turn your ideas into reality! You can pre-submit questionshere. Event Description Have you ever wondered how Immersive Labs can release CTI labs on the latest threats so quickly? Come backstage with us on this ✨ Community Exclusive ✨ event to learn just how we do it. BenMcCarthy and benhopkins, two of the experts from the CTI team will reveal what it takes to make a lab, some of their favourites from 2024 and what is to come from the CTI team. Agenda What are CTI labs and how do we select labs to build? Build Stage 1 - Research Build Stage 2 - "Labified" Build Stage 3 - Content Build Stage 4 - QA Some of our favourite labs Examples of speedy launches of labs C2 research What next for our Threat Research and CTI Labs You’ll also have the opportunity to pre-submit questionshere so you can ensure that you leave with all of the information you need! This is a Community Exclusive event: Hit the attend button to register. This webinar will be live at 3pm GMT and will be recorded.Unmasking Holiday Hackers
Imagine the following scenario… You receive a text message from a “delivery service”. It asks you to click a link to validate your personal information so they can deliver a parcel. Thinking it’s a precious holiday package from one of your many online orders, you click it. You input your credit card number to validate the order, and you enter your address to ensure it’s delivered to the right place before you have time to realize what’s just happened… 💥 You’ve given all your information to a scammer! 🤯This is textbook smishing, but that doesn’t change the fact that it’s incredibly effective. This exact situation happened to Grant Smith – however, he just so happened to be a certified Ethical Hacker. Smith shared his story and subsequent investigation details with Wired. In the article, we learn that: In total, people entered 438,669 unique credit cards into 1,133 domains used by the scammers. More than 50,000 email addresses were logged, including hundreds of university email addresses and 20 military or government email domains. The victims were spread across the United States, with more than 1.2 million pieces of information being entered in total. California, the state with the most, had 141,000 entries. Nobody wants to be part of this user cohort, but smishing attacks are becoming more common and more sophisticated. Around the holiday season, we interact with more businesses and technologies across multiple digital channels – and urgency only increases the closer we get to Christmas, growing your personal threat surface. You can help reduce your chances of being a victim of cybercrimes by upskilling with these labs: Staying Safe Online: Safer Browsing Staying Safe Online: Identity Theft Ready to take the reins of the sleigh and get into an investigation like Smith’s yourself? For a holiday-spirited investigation around a phishing attack – start with A Christmas Catastrophe: A Christmas Phish. From there, you can build a gingerbread house solid foundation for your security skills. Consider exploring theIntroduction to Penetration Testing and Hack Your First Computer collections. If you’re ready to dig deep and build knowledge and skills to use open-source tooling at the next level, you canfollow Grant’s steps with Immersive Labs collections! Scan with Nmap Nmap is one of the most popular network scanner tools available. In this introductory collection, you‘ll learn what Nmap is and how to use it to enumerate for hosts, ports, and services on a target. Intercept web traffic with Burp Suite Burp Suite is a popular tool used for pen testing and assessing web application security. This skill collection will take you from the basics of configuring and using Burp Suite to expertly traversing and applying its range of tools and features. Scan with NsLookup in Introduction to Networking This collection focuses on core networking concepts and the basics of networking connectivity, network topologies, and general networking concepts including IP addresses and domain name systems (DNS). Name Server Lookup allows users to query the DNS to retrieve information like IP addresses associated with domain names. Analyze web socket communications with Packet Analysis Reading packets and understanding the structure of packet captures are essential skills in cybersecurity. This collection introduces the main packet analysis tools and how to look for flags inside packet headers. Conduct Web Log Analysis This collection introduces you to the log files produced by web application servers and how they can be interpreted. You’ll be shown how to use common command line tools to analyze the log artifacts, what you can infer from the information captured in logs, and how this information can be helpful when responding to a suspected incident. Use SQL Injection Basics and SQL Injection to access databases Learn core SQL injection techniques and build on those skills to extract information from databases. When a vulnerability exists, this data can be accessed in various ways. Conduct advanced database investigations with Introduction to Linux Exploitation and Linux Command Line Gain foundational knowledge on Linux-based software exploitation, commonly used tools, and how the Linux Command Line Interface (CLI) can be used to perform different tasks. The labs in this skill collection range from navigating around a file structure to combining multiple commands to achieve a specific goal. Report valid cyber crimes to authorities! One such avenue is the Internet Crime Complaint Center. Or, if you’re working on an internal investigation for your employer, you should ensure strict adherence to your processes and playbooks for threat escalation and remediation processes. While you may not need to complete end-to-end tasks like the above frequently, it’s an asset to understand an offensive security mindset and key open-source tooling to conduct an investigation. Put your Nice List skills to use by continuing your offensive security journey and consider a Certified Ethical Hacker certification. You might even just earn an invite to the North Pole! Or, keep upskilling in Immersive Labs to earn more security badges and advance your career as an offensive security practitioner. You can be the light that guides the sleigh through the dark world of cyber criminals! Share your thoughts Did you find this case study interesting? Did you find some cross-functional training to bookmark for your personal growth? Please share your thoughts in the comments below! Give those hackers some coal to put somewhere special – their stocking, of course! Make sure you're following the Human Connection Blog to get updates to your inbox!Patch Tuesday December 2024
CVE-2024-49138 - 7.8 - Windows Common Log File System Driver Elevation of Privilege Vulnerability Top of the list of things to patch this cycle is a trio of vulnerabilities in the Windows Common Log File System Driver. Don't be fooled by their relatively low score of 7.8. At least one of these (CVE-2024-49138) is being actively exploited in the wild by threat actors, making it likely that the other two vulnerabilities will also be discovered. This vulnerability is a local privilege escalation, which means that an attacker must gain initial access to the host to gain SYSTEM-level privileges. With this higher level of permissions, the threat actor can move laterally across the network, dump credentials to pivot to a domain controller or even disable security tooling to avoid detection by a blue team. CVE-2024-49114 - 7.8 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability High on the list for patching should be CVE-2024-21310, a privilege escalation vulnerability in Cloud Files Mini Filter Driver. Listed as “exploitation more likely” by Microsoft, the patch notes have striking similarities to other vulnerabilities reported in the same component that are actively being exploited – and appearing on the CISA Known Exploited Vulnerabilities list late in 2023. This likely contributes to the “exploitation more likely,” as it is a proven and effective exploit for attackers and with existing public examples could make it faster to weaponise. If an attacker exploits this vulnerability, they can gain SYSTEM-level privileges on the local machine. This type of privilege escalation step is frequently seen by threat actors in network compromises, as it can enable the attacker to disable security tools or run credential dumping tools like mimikatz that can then enable lateral movement or the compromise of domain accounts. CVE-2024-49093 - 8.8 - Windows Resilient File System (ReFS) Elevation of Privilege The Resilient File System (ReFS) is a modern file system developed by Microsoft, designed to provide enhanced data integrity, scalability, and fault tolerance compared to the New Technology File System (NTFS). Introduced with Windows Server 2012, ReFS is optimized for large-scale storage solutions, virtualization workloads, and environments requiring high data reliability. It incorporates features like integrity streams to detect and repair data corruption, support for massive volumes and file sizes (up to 35 petabytes), and efficient data management through technologies like block cloning. While it lacks some NTFS features, such as file compression and encryption, ReFS is particularly suited for enterprise applications, such as Hyper-V storage and resilient storage spaces. It offers improved performance and reliability for mission-critical workloads. This vulnerability has been described as “exploitation more likely” by Microsoft and also said to have low attack complexity required to perform the attack. All the user has to do is execute the exploit in a low-privilege AppContainer, and they are able to execute code or access resources at a mich higher integrity level above the AppContainer. CVE-2024-49126 - 8.1 - Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability The Local Security Authority Subsystem Service (LSASS) is a critical system process in Microsoft Windows that enforces security policies and manages user authentication. It verifies users’ logging into a Windows system by handling credentials, such as passwords and security tokens, and interacts with Active Directory for domain authentication. LSASS also generates and manages access tokens that applications and services use to determine user permissions. This process runs with high privileges, making it a frequent target for attackers aiming to extract credentials from memory or perform lateral movement in a network using tools like the famous Mimikatz. Protecting LSASS is vital, and modern versions of Windows include features like Credential Guard and process isolation to mitigate risks associated with its exploitation. This vulnerability is a use-after-free vulnerability where the attacker has to take advantage of a race condition to get access to sensitive data that is not properly protected or locked, this requires no interaction from the user, nor does it require any special privileges to begin the attack. It is a remote code vulnerability affecting service accounts and an attacker can take advantage of this by triggering malicious code in the context of the server’s account through a network call. CVE-2024-49117 - 8.8 - Windows Hyper-V Remote Code Execution Vulnerability This vulnerability could be exploited by an attacker who has authenticated access to a guest virtual machine (VM). The attacker could send carefully crafted file operation requests to interact with the hardware resources allocated to the VM. This vulnerability has been tagged as “return of wrong status code,” which adds further context to the vulnerability by highlighting a potential miscommunication between components during an attack. If the underlying system incorrectly returns a status code suggesting that an operation was successful when it was not—or fails to indicate that an unexpected or malicious operation has occurred—it can facilitate exploitation. In this scenario, such miscommunication could obscure warning signs or error handling mechanisms that might otherwise mitigate the attack, making the vulnerability easier to exploit and harder to detect. Due the fact that hyper-v is baked into the Windows operating system so heavily, it is recommended to ensure you patch this even though it requires access to a guest OS running on a machine. CVE-2024-49112 - 9.8 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution (RCE) A significant flaw has been identified in the Lightweight Directory Access Protocol (LDAP) service on all versions of Windows since Windows 7 / Server 2008 R2 that can allow for an unauthenticated attacker with network access to gain code execution on the underlying server. LDAP is most commonly seen on servers that are Domain Controllers inside a Windows network and LDAP must be exposed to other servers and clients within an enterprise environment for the domain to function. Microsoft hasn’t released specific information about the vulnerability at present, but has indicated that the attack complexity is low and authentication is not required. Furthermore, they advise that exposure of this service either via the internet or to untrusted networks should be stopped immediately. They have said that an attacker can make a series of crafted calls to the LDAP service and gain access within the context of that service, which will be running with SYSTEM privileges. Because of the Domain Controller status of the machine account, it is assessed this will instantly allow the attacker to perform a DCSync attack and get access to all credential hashes within the domain. It is also assessed that an attacker will only need to gain low privileged access to a Windows host within a domain or a foothold within the network in order to exploit this service - gaining complete control over the domain. Discovery of how to exploit this condition will be of the utmost importance to attackers, especially ransomware operators, as complete control of a Domain Controller in an Active Directory environment can allow for access to every Windows machine as part of that domain and allow for the deployment of ransomware to every machine. Microsoft also suggests blocking access to ‘inbound RPC’ connections from untrusted networks, which may indicate that the vulnerability can be exploited by a number of RPC channels, not only via the standard LDAP ports. Environments which make use of Windows networks using Domain Controllers should patch this vulnerability as a matter of urgency and ensure that Domain Controllers are actively monitored for signs of exploitation. CVE-2024-49122 - 7.8 - Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability This December 2024 Patch Tuesday saw a vulnerability in Microsoft Message Queuing (MSMQ) being disclosed. Denoted as CVE-2024-49122, Microsoft has outlined this vulnerability as “exploitation more likely’ and as a “remote code execution” impact. MSMQ allows asynchronous communication between applications across various networks and systems by sending and reading messages from the queue. This vulnerability requires a high level of attack complexity and for the attacker to win a race condition. Successful exploitation can be achieved by sending a maliciously crafted MSMQ packet to a server, which will result in a remote code execution.CVE-2024-5910: Understanding the Critical Expedition Vulnerability
CVE-2024-5910 is a critical vulnerability in Palo Alto Networks' Expedition tool, widely used for firewall configuration migrations. The flaw, stemming from missing authentication for a critical function, allows attackers with network access to the Expedition interface to gain administrative privileges without authorization. This issue (which has a CVSS score of 9.3!) represents a significant security risk, particularly for organizations using Expedition to manage sensitive configuration data. What is Expedition? Expedition simplifies the migration of firewall configurations from third-party systems to Palo Alto Networks devices. This process often involves importing sensitive credentials, secrets, and configurations, making the tool's security paramount. Exploit details The vulnerability could be exploited by sending crafted requests to reset the administrator password, granting attackers access to the system. Once inside, malicious actors could extract sensitive information, tamper with configurations, or launch further attacks against connected systems. Public proof of concept (PoC) code for exploiting this vulnerability is now available, increasing the urgency of mitigation measures. Which systems are affected? This vulnerability affects Expedition versions before 1.2.92, as detailed inthe advisory from Palo Alto Networks. Systems that expose Expedition to the internet are at heightened risk, with recent scans identifying several instances accessible online. Mitigation steps Update Expedition: Upgrade to version 1.2.92 or later, where the vulnerability has been patched. Restrict access: Ensure that network access to the Expedition tool is limited to trusted hosts and users. There’s no valid reason for the tool to be accessible from untrusted networks. Change credentials: Rotate all administrator passwords, API keys, and firewall credentials processed through Expedition to mitigate potential compromises. Monitor for indicators of compromise (IoCs): Look for unusual activities in logs or changes to configurations, which may indicate exploitation. Recommended content To learn more about this vulnerability by interacting with it in a sandboxed environment, we have both offensive and a defensive labs in the platform. Theoffensive scenarioallows you to perform the exploitation using the PoC, whereas ourdefensive scenarioupskills users by describing how to identify the IoCs – giving participants a deep understanding of how the exploit would appear in their environment. To find these labs and others, simply type the relevant CVE number into theImmersive Labs Search Bar. Final thoughts CVE-2024-5910 underscores the importance of promptly addressing vulnerabilities in tools that manage critical infrastructure configurations. Organizations should also stay on top of new and emerging threats, patch affected systems immediately, and follow best practices for securing administrative tools like Expedition. Using the Immersive Labs platform, organizations can gain a deep understanding of the most critical vulnerabilities and exploits and prepare for them in a practical and safe setting. For more details from the affected vendor, refer to the officialPalo Alto Networks security advisory.New CTI Lab: Xworm: Analysis
Xworm is a piece of malware that was first discovered in 2022being used by threat actors likeNullBulgeandTA558. Xworm is a remote access trojan (RAT). Attackers deploy it onto compromised machines to steal data, facilitate remote code execution through shell access, and tamper with native security solutions like Microsoft Windows Defender, ready for other malware to be dropped and executed on a machine. Why have we created this content? Xworm is a commodity piece of malware that has been observed in the wild and has previously been observed being sold on hacker forums to opportunistic cybercriminals. Recently, cracked versions of this malware have been leaked to VirusTotal, GitHub, and other repositories. This content provides a unique look into commodity malware, how it's designed, and what to look out for when coming across it. What are we publishing? All customers on a CyberPro License have immediate access to a new lab. Xworm: Analysis Who is this content for? This lab is focused on upskilling and increasing the defensive capabilities of the following roles: Incident Responders Malware Analysts Reverse Engineers SOC Analysts Cyber Threat Intelligence Analysts We are also hosting a webinar! Come and see what we do as a CTI team and how we help cyber teams with their real-world threat preparedness!New CTI Labs: CVE-2024-0012 and CVE-2024-9474 (Palo Alto PAN-OS) – Offensive and Defensive
Today, we’ve released two brand-new labs focusing on defending against and exploiting two new vulnerabilities in Palo Alto Firewalls! Learn how to attack a Palo Alto Firewall by exploiting these vulnerabilities, as well as how to identify attack remnants and detect them effectively.Balance Your Business with the Buzz
The question begs for a prioritisation exercise. You need to create a dynamic program structure to address security priorities and the highest-volume threats, while keeping your finger on the pulse. Let’s dig into how you can balance your priorities Balance role-based learning and skills growth with day-to-day job responsibilities. These learning plans often look like a longer-term goal with continuous growth and skills progression. Some of our favourite Immersive Labs Career Paths (courtesy of the man, the myth, the legend ZacharyAbrams, our Senior Cyber Resilience Advisor are: Network Threat Detection Introduction to Digital Forensics Incident Response and Digital Forensics You can also create your own Career Paths! Buzz your team’s interest and pique security knowledge around the top routinely exploited vulnerabilities and priority threats. Latest CVEs and threats This collection should be a holy grail for referencing and assigning labs on the latest and most significant vulnerabilities, ensuring you can keep yourself and your organisation safe. Incorporate trending and priority threats like#StopRansomware with the below collections: Ransomware In this collection, you’ll learn about the different strains of ransomware and how they operate. Malicious Document Analysis Phishing and malicious documents are major malware attack vectors. Learn to analyse various file types and detect hidden malware. Balance out the flurry of CVEs and news trends with timely and relevant industry content: Financial services customers often prioritise Risk, Compliance, and Data Privacy Collections, or our entire Management, Risk, and Compliance path. We also have a great “Immersive Bank” Mini-Series for a simulated red team engagement against a fictitious financial enterprise. The series walks through the various stages of a simulated targeted attack, starting with information gathering and gaining access, before moving to pivoting and account abuse. Automotive customers might be interested in our CANBus collection to learn more about the CANBus technology in modern cars, and the security threats it faces. We’ve also seen interest in our IoT and Embedded Devices collection and OT/ICS For Incident Responders path! Telecommunications customers may be particularly interested in a more timely lab, such as threat actor Volt Typhoon, which recently made headlines with an attack on ISPs. Due to the group's focus on ISPs, telecom, and US infrastructure, we recommend reviewing its TTPs and mapping them against labs in the Immersive Labs MITRE ATT&CK Dashboard. Other threats may be of higher priority for your sector – reach out to your CSM or Ask a Question in the community to learn suggestions from your peers! Buzzabout the latest and most active threat actors and malware because, let's bee real, everyone wants to keep their finger on the pulse of the latest security happenings. Finance, healthcare, defence, government, and national political organisations are on high alert around Iranian-Backed Cyber Activity. The following content on common attack vectors from these groups is valuable to organisations today: IRGC and relevant malware labs: APT35 Peach Sandstorm Tickler Malware Citrix Netscaler CVEs: CVE-2019-19781 (Citrix RCE) – Defensive CVE-2019-19781 (Citrix RCE) – Offensive F5 BIG-IP CVEs: CVE-2022-1388 (F5 BIG-IP) – Defensive CVE-2022-1388 (F5 BIG-IP) – Offensive What would this all look like as part of my program? I like to think of it as a waterfall method, but make sure you consider the overall learning requirement relative to your team’s workloads. Annual: Role-based career paths with a longer duration (doesn’t have to be annual – you can set more frequent targets if that’s better for your team) for completion to meet individual growth and organisation training goals. Quarterly to bi-monthly: ‘Timely training’ with IL Collections or Custom Collections. This might include a mix of “Balance” around industry-relevant content, upskilling to bridge skills gaps, or “Buzzy” content addressing incident retrospective findings that require skills triage, or an industry trend like the rise in Ransomware or Threat Actor risks for your sector, as you reprioritize your internal threat landscape through the year. AdHoc:‘Threat Sprint’ assignments with new CVE and threat actor labs as a small custom collection with 7-10 day turnarounds per 2-3 hours of content to address quick priority topics. Make sure to get feedback from your teams on capacity. But, don’t bee afraid to iterate as you upskill your teams, stay stinger-sharp against adversaries, and hive a great time delivering on the business outcomes your organisation is looking for. Share your thoughts Have you mastered balancing business with the buzz? Comment below with your successes, failures, and ideas for effective balanced cybersecurity upskilling programs! Stay safe out there in the field, and keep an eye out (or five) for new articles based on recent events in the cybersecurity space. Get updated in your inbox on posts like this by "following" The Human Connection Blog!Patch Tuesday November 2024
CVE-2024-49039 - 8.8 - Windows Task Scheduler Elevation of Privilege Vulnerability Microsoft has released an official patch for this vulnerability because the exploit code found is functional and has been used in the wild. The Windows Task Scheduler is a built-in utility in Microsoft Windows that allows organizations to automate and schedule tasks or scripts to run at specific times, during specific events, or under certain conditions. It enables users and administrators to automate repetitive tasks, making it easier to manage various operations on a computer or network. While a POC has not been publicly released for this vulnerability, exploitation has been detected. An attacker can perform this exploit as a low-privileged AppContainer and effectively execute remote procedure calls (RPCs) that should be available only to privileged tasks. It is unclear what RPCs are affected here, but it could give an attacker access to elevate privileges and execute code on a remote machine, as well as the machine in which they are executing the vulnerability. CVE-2024-5535 - 9.1 - OpenSSL: CVE-2024-5535 SSL_select_next_proto buffer overread This OpenSSL vulnerability has been in OpenSSL since 2011 and has only recently been patched. Windows is releasing its fix for the Microsoft Defender Endpoint. It is rated 9.1 and has a few write-ups on the internet describing this vulnerability in depth. However, it does require the user to download a file from something like an email and have Defender “inspect” it to achieve code execution. CVE-2024-43639 - 9.8 - Windows Kerberos Remote Code Execution Vulnerability This is one of the most threatening CVEs from this patch release because it is related to Kerberos, an authentication protocol used heavily in Windows domain networks. The vulnerability allows an unauthenticated attacker to perform remote code execution against a vulnerable target inside a Windows domain. Windows domains are used in the majority of enterprise networks, and by taking advantage of a cryptographic protocol vulnerability, an attacker can perform privileged acts on a remote machine within the network, potentially giving them eventual access to the domain controller, which is the goal for many attackers when attacking a domain. CVE-2024-49033 - 7.5 - Microsoft Word Security Feature Bypass Vulnerability This vulnerability targets Microsoft Office Protected View, allowing an attacker to bypass this security feature designed to protect users from potentially unsafe files. Protected View is a read-only mode that restricts editing and certain functionality in files downloaded from untrusted sources, such as email attachments or web links, to prevent malicious actions. By exploiting this vulnerability, an attacker could craft a malicious Word document capable of bypassing Protected View, enabling harmful actions to run on the victim’s machine if opened. A successful attack requires several specific steps due to the high complexity of the environment-specific requirements, as indicated by a high CVSS Attack Complexity score (AC). Because user interaction is required (UI), the attacker cannot force the user to open the file; instead, they must convince the victim to click on the link and open the document, often using persuasive language or enticements. If the user opens the crafted file, the protections of Protected View will be bypassed, potentially allowing malware to execute commands such as traditional VBA code and compromise the system. Depending on the attacker's objectives and the victim's environment, this could result in data exposure, unauthorized access to sensitive information, or broader system compromise. CVE-2024-49019 - 7.8 - Active Directory Certificate Services Elevation of Privilege Vulnerability This Active Directory Certificate Services (AD CS) elevation of privilege vulnerability allows an attacker to gain domain administrator privileges if successfully exploited. The vulnerability exists in managing certificates issued by a PKI (Public Key Infrastructure) environment using certain misconfigured certificate templates. To determine if your PKI environment is vulnerable, check whether any certificates have been published using a version 1 certificate template where the source of the subject name is set to "Supplied in the request" and enroll permissions are granted to a broader group, such as domain users or domain computers. This is typically a misconfiguration, and certificates created from templates like the Web Server template could be affected. However, the Web Server template is not vulnerable by default because of its restricted enroll permissions. The vulnerability targets certificates created using a version 1 certificate template with "supplied in the request" as the subject name source. If these templates are not properly secured — according to the best practices outlined in Microsoft's Securing Certificate Templates documentation — attackers can abuse the template’s permissions and elevate their privileges, potentially gaining domain administrator access. This vulnerability has been slated as more likely to be exploited. Because it is related to Windows domains and is used heavily across enterprise organizations, it is very important to patch it and look for misconfigurations that could be left behind. CVE-2024-43451 - 6.5 - NTLM Hash Disclosure Spoofing Vulnerability This Microsoft Patch Tuesday release includes an NTLM Hash Disclosure Spoofing Vulnerability (CVE-2024-43451). Although tagged at a moderate severity level with a CVSS score of 6.5, it's important to note that details regarding this security vulnerability have been publicly disclosed, and instances of its exploitation have been confirmed. So users should take immediate action to mitigate potential risks. Further, the Microsoft advisory released today outlines that the CVE-2024-43451 only needs minimal user interaction with a malicious file, which can include either clicking or inspecting it. This action could disclose a user's NTMLv2 hash to the attacker, potentially compromising confidentiality and allowing the hacker to authenticate as the user. The affected versions are all of the supported versions of Microsoft Windows. CVE-2024-43642 – 7.5 - Windows SMB Denial of Service Vulnerability Microsoft has flagged a new security vulnerability, CVE-2024-43642, in its Windows Server Message Block (SMB). SMB is a network protocol primarily used for sharing access to files, printers, serial ports, and other communications between nodes on a network. This vulnerability could potentially lead to a Denial of Service (DoS), which, if exploited, could disrupt the normal functioning of a service or system. The vulnerability follows the 'Use-After-Free' threat model, categorized as CWE-416. It indicates that specific program operations could cause memory spaces to be improperly accessed after being freed. According to Microsoft's rubric, with a CVSS v3.1 score of 7.5/6.5, this vulnerability is assigned an 'Important' severity rating, pointing towards the potential for considerable affected system disruption and possible downtime. CVE-2024-43602 – 9.9 – Azure CycleCloud Remote Code Execution Vulnerability CVE-2024-43502 is related to Azure CycleCloud, an orchestration and management tool often used for High-Performance Computing (HPC). This vulnerability entails an instance of CWE-285: 'Improper Authorization' and carries a CVSS rating of 9.9/8.6. At the time of writing, Microsoft's exploitability assessment on this one is ‘Exploitation Less Likely’, albeit the attack complexity is outlined as Low. To exploit this vulnerability, an attacker with basic user permissions could send specially crafted requests to alter the configuration of an Azure CycleCloud cluster, thereby gaining root-level permissions. Consequently, the attacker could execute commands on any Azure CycleCloud cluster within the instance and, in specific scenarios, compromise administrative credentials. Despite this, the vulnerability is currently unexploited.New CTI Lab: CRON#TRAP – Linux Environment Emulation
On November 4, 2024,Securonix published researchand identified a novel attack chain where attackers deploy a custom Linux machine using the QEMU emulation service to persist on endpoints, allowing them to run commands and deliver malware. Why have we created this content? Given that this technique is quite new and novel, this content was created to educate users on how legitimate tooling, like virtual environments, can be abused by attackers. When the user is tricked into opening a .lnk file, the virtual machine starts and mounts to the host, giving backdoor access to an endpoint that almost acts as a proxy. What are we publishing? All customers on a CyberPro License have immediate access to a new lab. CRON#TRAP – Linux Environment Emulation Who is this content for? This lab is focused on upskilling and increasing the defensive capabilities of the following roles: Incident Responders Threat Hunters Malware Analysts
