Operational CTI: Lessons from the Attacks That Didn’t Target You
Watch the recording from this event here ⬇️ Many organizations overlook vulnerabilities and attack campaigns that don’t directly impact them. While this makes sense for risk prioritization, studying these threats can reveal valuable insights that improve your defensive posture and technical skills. In this webinar, we’ll take you through a technical analysis of a recent malicious campaign and explore how analyzing adversary techniques — even those that haven’t targeted your organization — can uncover hidden gaps in your security strategy and enhance your ability to detect and mitigate future threats. Key Takeaways Threat Awareness Beyond Your Scope – Understanding attack campaigns that don’t directly affect your organization can still provide critical insights into evolving threat landscapes. Improving Defensive Posture – Learning from other attacks helps identify weaknesses in your own security strategy before they become exploited. Expanding Technical Knowledge – Deep-diving into attack techniques and vulnerabilities sharpens your ability to detect and mitigate sophisticated threats. Proactive Security Mindset – Adopting a proactive rather than reactive approach can help organizations stay ahead of adversaries, even if they’re not immediate targets. Applying Lessons Practically – Insights from external threats can shape better incident response plans, detection rules, and security skills.Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness
This event has now ended. You can watch the recording here. --- 📢 Today's the day! Our exclusive Community webinar 'Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness' will be live at 3pm GMT (10am EST). Here's a few tips to help you get the most from your experience: 🚀 This is a live, interactive session. Make sure you join the session promptly in order to get the full experience. 🔗 To join today's session, visit the event page or simply use the Zoom link. ❓You’ll also have the opportunity to participate in a Q&A with our expert panel so you can leave with an action plan to turn your ideas into reality! You can pre-submit questions here. Event Description Have you ever wondered how Immersive Labs can release CTI labs on the latest threats so quickly? Come backstage with us on this ✨ Community Exclusive ✨ event to learn just how we do it. BenMcCarthy and benhopkins, two of the experts from the CTI team will reveal what it takes to make a lab, some of their favourites from 2024 and what is to come from the CTI team. Agenda What are CTI labs and how do we select labs to build? Build Stage 1 - Research Build Stage 2 - "Labified" Build Stage 3 - Content Build Stage 4 - QA Some of our favourite labs Examples of speedy launches of labs C2 research What next for our Threat Research and CTI Labs You’ll also have the opportunity to pre-submit questions here so you can ensure that you leave with all of the information you need! This is a Community Exclusive event: Hit the attend button to register. This webinar will be live at 3pm GMT and will be recorded.Cozy Bear? Not So Cozy…
When you think of a “cozy bear”, you might think of Winnie the Pooh or a faux fur throw by the fire, not a criminal hacker group that’s been active since 2008. There was an intrusion to TeamViewer, the most popular remote access software, on 26 June 2024. Evidence points accountability towards Russia’s Midnight Blizzard group, also known as APT29, the Dukes, and the Cozy Bear group. Not exactly the type of behavior you’d expect from a cozy bear, right? The Cozy Bear group has been observed using tools and techniques that target groups like government, healthcare and energy organizations. Its most common techniques include scanning (T1595.002) and exploitation (T1190) against vulnerable systems. It’s also associated with the notorious SolarWinds incident in 2021 that resulted in the first ever SEC charges against a CISO. It’s safe to say this bear isn’t hibernating, it’s on the prowl. All honey pots aside, Immersive Labs has a dedicated Threat Actor Lab for APT29 and a wealth of content around other attack types perpetuated by this malicious threat group. Ensure your teams aren’t caught in a bear trap by exploring or revisiting content designed specifically around this cyber espionage group: APT29: Threat Hunting with Elasticsearch Successful cyber threat hunting relies on a combination of information from cyber threat intelligence to detailed event logs via endpoints, network devices, and security tools. This lab collection gives you an opportunity to explore some of these concepts through the lens of an emulated APT29 attack scenario. APT29: Threat Hunting with Splunk These labs follow the same attack path as the above collection, but with different tactical and system focuses, providing an opportunity to explore concepts through the lens of an emulated APT29 attack scenario with Splunk. Brute Ratel: Extracting Indicators of Compromise Brute Ratel C4 is a commercial command and control (C2) framework for adversary simulation and red team engagements. This tool has been observed in the wild being used by nation-state actors, specifically APT29. The following labs are also based on this threat group’s known tactics, techniques, and procedures (TTPs) and exploits. Check them out: CVE-2019-19781 (Citrix RCE) – Defensive CVE-2019-19781 (Citrix RCE) – Offensive CVE-2020-5902 (F5 BIG-IP) – Defensive CVE-2020-5902 (F5 BIG-IP) – Offensive We may be having fun here, but your cyber readiness is no joke. Make sure your teams are up to date on the newest CVEs and that they’re well versed on established threat actors and attack vectors – so your organization stays out of the news 🙅♀️🐻📰 Share your thoughts! Do you like bear-themed articles? Do you plan to assign or bookmark these recommended labs? We’re beary eager for your feedback in the comments below!New CTI Lab: Xworm: Analysis
Xworm is a piece of malware that was first discovered in 2022 being used by threat actors like NullBulge and TA558. Xworm is a remote access trojan (RAT). Attackers deploy it onto compromised machines to steal data, facilitate remote code execution through shell access, and tamper with native security solutions like Microsoft Windows Defender, ready for other malware to be dropped and executed on a machine. Why have we created this content? Xworm is a commodity piece of malware that has been observed in the wild and has previously been observed being sold on hacker forums to opportunistic cybercriminals. Recently, cracked versions of this malware have been leaked to VirusTotal, GitHub, and other repositories. This content provides a unique look into commodity malware, how it's designed, and what to look out for when coming across it. What are we publishing? All customers on a CyberPro License have immediate access to a new lab. Xworm: Analysis Who is this content for? This lab is focused on upskilling and increasing the defensive capabilities of the following roles: Incident Responders Malware Analysts Reverse Engineers SOC Analysts Cyber Threat Intelligence Analysts We are also hosting a webinar! Come and see what we do as a CTI team and how we help cyber teams with their real-world threat preparedness!Patch Tuesday December 2024
CVE-2024-49138 - 7.8 - Windows Common Log File System Driver Elevation of Privilege Vulnerability Top of the list of things to patch this cycle is a trio of vulnerabilities in the Windows Common Log File System Driver. Don't be fooled by their relatively low score of 7.8. At least one of these (CVE-2024-49138) is being actively exploited in the wild by threat actors, making it likely that the other two vulnerabilities will also be discovered. This vulnerability is a local privilege escalation, which means that an attacker must gain initial access to the host to gain SYSTEM-level privileges. With this higher level of permissions, the threat actor can move laterally across the network, dump credentials to pivot to a domain controller or even disable security tooling to avoid detection by a blue team. CVE-2024-49114 - 7.8 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability High on the list for patching should be CVE-2024-21310, a privilege escalation vulnerability in Cloud Files Mini Filter Driver. Listed as “exploitation more likely” by Microsoft, the patch notes have striking similarities to other vulnerabilities reported in the same component that are actively being exploited – and appearing on the CISA Known Exploited Vulnerabilities list late in 2023. This likely contributes to the “exploitation more likely,” as it is a proven and effective exploit for attackers and with existing public examples could make it faster to weaponise. If an attacker exploits this vulnerability, they can gain SYSTEM-level privileges on the local machine. This type of privilege escalation step is frequently seen by threat actors in network compromises, as it can enable the attacker to disable security tools or run credential dumping tools like mimikatz that can then enable lateral movement or the compromise of domain accounts. CVE-2024-49093 - 8.8 - Windows Resilient File System (ReFS) Elevation of Privilege The Resilient File System (ReFS) is a modern file system developed by Microsoft, designed to provide enhanced data integrity, scalability, and fault tolerance compared to the New Technology File System (NTFS). Introduced with Windows Server 2012, ReFS is optimized for large-scale storage solutions, virtualization workloads, and environments requiring high data reliability. It incorporates features like integrity streams to detect and repair data corruption, support for massive volumes and file sizes (up to 35 petabytes), and efficient data management through technologies like block cloning. While it lacks some NTFS features, such as file compression and encryption, ReFS is particularly suited for enterprise applications, such as Hyper-V storage and resilient storage spaces. It offers improved performance and reliability for mission-critical workloads. This vulnerability has been described as “exploitation more likely” by Microsoft and also said to have low attack complexity required to perform the attack. All the user has to do is execute the exploit in a low-privilege AppContainer, and they are able to execute code or access resources at a mich higher integrity level above the AppContainer. CVE-2024-49126 - 8.1 - Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability The Local Security Authority Subsystem Service (LSASS) is a critical system process in Microsoft Windows that enforces security policies and manages user authentication. It verifies users’ logging into a Windows system by handling credentials, such as passwords and security tokens, and interacts with Active Directory for domain authentication. LSASS also generates and manages access tokens that applications and services use to determine user permissions. This process runs with high privileges, making it a frequent target for attackers aiming to extract credentials from memory or perform lateral movement in a network using tools like the famous Mimikatz. Protecting LSASS is vital, and modern versions of Windows include features like Credential Guard and process isolation to mitigate risks associated with its exploitation. This vulnerability is a use-after-free vulnerability where the attacker has to take advantage of a race condition to get access to sensitive data that is not properly protected or locked, this requires no interaction from the user, nor does it require any special privileges to begin the attack. It is a remote code vulnerability affecting service accounts and an attacker can take advantage of this by triggering malicious code in the context of the server’s account through a network call. CVE-2024-49117 - 8.8 - Windows Hyper-V Remote Code Execution Vulnerability This vulnerability could be exploited by an attacker who has authenticated access to a guest virtual machine (VM). The attacker could send carefully crafted file operation requests to interact with the hardware resources allocated to the VM. This vulnerability has been tagged as “return of wrong status code,” which adds further context to the vulnerability by highlighting a potential miscommunication between components during an attack. If the underlying system incorrectly returns a status code suggesting that an operation was successful when it was not—or fails to indicate that an unexpected or malicious operation has occurred—it can facilitate exploitation. In this scenario, such miscommunication could obscure warning signs or error handling mechanisms that might otherwise mitigate the attack, making the vulnerability easier to exploit and harder to detect. Due the fact that hyper-v is baked into the Windows operating system so heavily, it is recommended to ensure you patch this even though it requires access to a guest OS running on a machine. CVE-2024-49112 - 9.8 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution (RCE) A significant flaw has been identified in the Lightweight Directory Access Protocol (LDAP) service on all versions of Windows since Windows 7 / Server 2008 R2 that can allow for an unauthenticated attacker with network access to gain code execution on the underlying server. LDAP is most commonly seen on servers that are Domain Controllers inside a Windows network and LDAP must be exposed to other servers and clients within an enterprise environment for the domain to function. Microsoft hasn’t released specific information about the vulnerability at present, but has indicated that the attack complexity is low and authentication is not required. Furthermore, they advise that exposure of this service either via the internet or to untrusted networks should be stopped immediately. They have said that an attacker can make a series of crafted calls to the LDAP service and gain access within the context of that service, which will be running with SYSTEM privileges. Because of the Domain Controller status of the machine account, it is assessed this will instantly allow the attacker to perform a DCSync attack and get access to all credential hashes within the domain. It is also assessed that an attacker will only need to gain low privileged access to a Windows host within a domain or a foothold within the network in order to exploit this service - gaining complete control over the domain. Discovery of how to exploit this condition will be of the utmost importance to attackers, especially ransomware operators, as complete control of a Domain Controller in an Active Directory environment can allow for access to every Windows machine as part of that domain and allow for the deployment of ransomware to every machine. Microsoft also suggests blocking access to ‘inbound RPC’ connections from untrusted networks, which may indicate that the vulnerability can be exploited by a number of RPC channels, not only via the standard LDAP ports. Environments which make use of Windows networks using Domain Controllers should patch this vulnerability as a matter of urgency and ensure that Domain Controllers are actively monitored for signs of exploitation. CVE-2024-49122 - 7.8 - Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability This December 2024 Patch Tuesday saw a vulnerability in Microsoft Message Queuing (MSMQ) being disclosed. Denoted as CVE-2024-49122, Microsoft has outlined this vulnerability as “exploitation more likely’ and as a “remote code execution” impact. MSMQ allows asynchronous communication between applications across various networks and systems by sending and reading messages from the queue. This vulnerability requires a high level of attack complexity and for the attacker to win a race condition. Successful exploitation can be achieved by sending a maliciously crafted MSMQ packet to a server, which will result in a remote code execution.Patch Tuesday November 2024
CVE-2024-49039 - 8.8 - Windows Task Scheduler Elevation of Privilege Vulnerability Microsoft has released an official patch for this vulnerability because the exploit code found is functional and has been used in the wild. The Windows Task Scheduler is a built-in utility in Microsoft Windows that allows organizations to automate and schedule tasks or scripts to run at specific times, during specific events, or under certain conditions. It enables users and administrators to automate repetitive tasks, making it easier to manage various operations on a computer or network. While a POC has not been publicly released for this vulnerability, exploitation has been detected. An attacker can perform this exploit as a low-privileged AppContainer and effectively execute remote procedure calls (RPCs) that should be available only to privileged tasks. It is unclear what RPCs are affected here, but it could give an attacker access to elevate privileges and execute code on a remote machine, as well as the machine in which they are executing the vulnerability. CVE-2024-5535 - 9.1 - OpenSSL: CVE-2024-5535 SSL_select_next_proto buffer overread This OpenSSL vulnerability has been in OpenSSL since 2011 and has only recently been patched. Windows is releasing its fix for the Microsoft Defender Endpoint. It is rated 9.1 and has a few write-ups on the internet describing this vulnerability in depth. However, it does require the user to download a file from something like an email and have Defender “inspect” it to achieve code execution. CVE-2024-43639 - 9.8 - Windows Kerberos Remote Code Execution Vulnerability This is one of the most threatening CVEs from this patch release because it is related to Kerberos, an authentication protocol used heavily in Windows domain networks. The vulnerability allows an unauthenticated attacker to perform remote code execution against a vulnerable target inside a Windows domain. Windows domains are used in the majority of enterprise networks, and by taking advantage of a cryptographic protocol vulnerability, an attacker can perform privileged acts on a remote machine within the network, potentially giving them eventual access to the domain controller, which is the goal for many attackers when attacking a domain. CVE-2024-49033 - 7.5 - Microsoft Word Security Feature Bypass Vulnerability This vulnerability targets Microsoft Office Protected View, allowing an attacker to bypass this security feature designed to protect users from potentially unsafe files. Protected View is a read-only mode that restricts editing and certain functionality in files downloaded from untrusted sources, such as email attachments or web links, to prevent malicious actions. By exploiting this vulnerability, an attacker could craft a malicious Word document capable of bypassing Protected View, enabling harmful actions to run on the victim’s machine if opened. A successful attack requires several specific steps due to the high complexity of the environment-specific requirements, as indicated by a high CVSS Attack Complexity score (AC). Because user interaction is required (UI), the attacker cannot force the user to open the file; instead, they must convince the victim to click on the link and open the document, often using persuasive language or enticements. If the user opens the crafted file, the protections of Protected View will be bypassed, potentially allowing malware to execute commands such as traditional VBA code and compromise the system. Depending on the attacker's objectives and the victim's environment, this could result in data exposure, unauthorized access to sensitive information, or broader system compromise. CVE-2024-49019 - 7.8 - Active Directory Certificate Services Elevation of Privilege Vulnerability This Active Directory Certificate Services (AD CS) elevation of privilege vulnerability allows an attacker to gain domain administrator privileges if successfully exploited. The vulnerability exists in managing certificates issued by a PKI (Public Key Infrastructure) environment using certain misconfigured certificate templates. To determine if your PKI environment is vulnerable, check whether any certificates have been published using a version 1 certificate template where the source of the subject name is set to "Supplied in the request" and enroll permissions are granted to a broader group, such as domain users or domain computers. This is typically a misconfiguration, and certificates created from templates like the Web Server template could be affected. However, the Web Server template is not vulnerable by default because of its restricted enroll permissions. The vulnerability targets certificates created using a version 1 certificate template with "supplied in the request" as the subject name source. If these templates are not properly secured — according to the best practices outlined in Microsoft's Securing Certificate Templates documentation — attackers can abuse the template’s permissions and elevate their privileges, potentially gaining domain administrator access. This vulnerability has been slated as more likely to be exploited. Because it is related to Windows domains and is used heavily across enterprise organizations, it is very important to patch it and look for misconfigurations that could be left behind. CVE-2024-43451 - 6.5 - NTLM Hash Disclosure Spoofing Vulnerability This Microsoft Patch Tuesday release includes an NTLM Hash Disclosure Spoofing Vulnerability (CVE-2024-43451). Although tagged at a moderate severity level with a CVSS score of 6.5, it's important to note that details regarding this security vulnerability have been publicly disclosed, and instances of its exploitation have been confirmed. So users should take immediate action to mitigate potential risks. Further, the Microsoft advisory released today outlines that the CVE-2024-43451 only needs minimal user interaction with a malicious file, which can include either clicking or inspecting it. This action could disclose a user's NTMLv2 hash to the attacker, potentially compromising confidentiality and allowing the hacker to authenticate as the user. The affected versions are all of the supported versions of Microsoft Windows. CVE-2024-43642 – 7.5 - Windows SMB Denial of Service Vulnerability Microsoft has flagged a new security vulnerability, CVE-2024-43642, in its Windows Server Message Block (SMB). SMB is a network protocol primarily used for sharing access to files, printers, serial ports, and other communications between nodes on a network. This vulnerability could potentially lead to a Denial of Service (DoS), which, if exploited, could disrupt the normal functioning of a service or system. The vulnerability follows the 'Use-After-Free' threat model, categorized as CWE-416. It indicates that specific program operations could cause memory spaces to be improperly accessed after being freed. According to Microsoft's rubric, with a CVSS v3.1 score of 7.5/6.5, this vulnerability is assigned an 'Important' severity rating, pointing towards the potential for considerable affected system disruption and possible downtime. CVE-2024-43602 – 9.9 – Azure CycleCloud Remote Code Execution Vulnerability CVE-2024-43502 is related to Azure CycleCloud, an orchestration and management tool often used for High-Performance Computing (HPC). This vulnerability entails an instance of CWE-285: 'Improper Authorization' and carries a CVSS rating of 9.9/8.6. At the time of writing, Microsoft's exploitability assessment on this one is ‘Exploitation Less Likely’, albeit the attack complexity is outlined as Low. To exploit this vulnerability, an attacker with basic user permissions could send specially crafted requests to alter the configuration of an Azure CycleCloud cluster, thereby gaining root-level permissions. Consequently, the attacker could execute commands on any Azure CycleCloud cluster within the instance and, in specific scenarios, compromise administrative credentials. Despite this, the vulnerability is currently unexploited.Understanding CVE-2024-3094: A Major Software Security Issue in XZ Utils
What is CVE-2024-3094? Recently, a critical security problem, known as CVE-2024-3094, was found in the XZ Utils library. XZ Utils is a set of open-source command-line tools and libraries for lossless data compression on various Linux systems. If your systems are running Linux or Mac, your OS likely uses it in the background when unpacking archives, and even if you’re using Windows, most of your services will use XZ Utils. This code allowed for SSH backdoor access and remote code execution on affected systems, earning a maximum CVSS score of 10. The harmful code was hidden within the XZ Utils software by a ‘trusted’ developer, starting with version 5.6.0. This developer was actually a bad actor who gained the trust of the sole maintainer of the code over many years of social engineering with multiple fake identities created to convince the maintainer that they were trustworthy. To learn more, check out the emails on research.swtch.com . Which Linux systems are affected? The compromised versions of XZ have been found in certain versions of Debian, Kali Linux, OpenSUSE, Arch Linux, and Fedora: Debian: Unstable/Sid versions from 5.5.1alpha-0.1 to 5.1.1-1 Kali Linux: Systems updated between March 26-29, 2024 OpenSUSE: Rolling releases Tumbleweed and MicroOS between March 7-28, 2024 Arch Linux: Versions 2024.03.01, VM images from late February to late March 2024 Fedora: Rawhide and Fedora 40 Beta Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 How could this security issue be used by bad actors? Attackers could exploit this vulnerability by taking advantage of the backdoor inserted into the XZ Utils library. With this vulnerability, they can: Exploit the backdoor: Using the backdoor, attackers could bypass SSH authentication, allowing them to gain access to the system without needing valid credentials. Elevate privileges: Once inside, attackers could attempt to gain higher-level access, enabling them to control more parts of the system. Establish persistence: Attackers might install persistent malware to maintain access to the compromised system. Spread laterally: From the initial compromised system, attackers could move laterally within the network, targeting other systems and spreading their control. Steal sensitive data: Attackers could access and exfiltrate sensitive data, such as personal information, financial records, or intellectual property. Disrupt operations: By tampering with critical services or data, attackers could disrupt business operations, leading to downtime and financial losses. Deploy ransomware: Attackers could encrypt critical data and demand a ransom for its decryption, causing further damage and financial loss. How to protect your systems To protect your systems from this vulnerability, you should verify if your systems are using the compromised versions of XZ Utils and keep up with the latest advice from vendors. If your systems contain the mentioned versions, make sure you update to at least version 5.6.1-2. You’ll also want to ensure proper security hygiene by keeping all other software up to date with the latest security patches. Finally, make sure your IT and security teams understand this vulnerability, are able to fix it, and know how to respond to potential threats. Conclusion CVE-2024-3094 highlights the importance of securing the software supply chain. By understanding this security issue and taking proactive steps, you can better protect your systems from sophisticated attacks. Keep your systems updated, improve your organizational resilience, and consult with your software vendors for the latest security information. Recommended content If you’d like to know more, we have an XZ Utils Lab in the latest CVEs collection. In the lab, you'll take on the role of a CIRT analyst researching backdoor deployment techniques. Share your thoughts If this vulnerability impacted your organization, what steps did you take to fix it, and what changes have you made to prevent future issues? Comment and collaborate with others in the comments!
