Cozy Bear? Not So Cozy…
When you think of a “cozy bear”, you might think of Winnie the Pooh or a faux fur throw by the fire, not a criminal hacker group that’s been active since 2008. There was an intrusion to TeamViewer, the most popular remote access software, on 26 June 2024. Evidence points accountability towards Russia’s Midnight Blizzard group, also known as APT29, the Dukes, and the Cozy Bear group. Not exactly the type of behavior you’d expect from a cozy bear, right? The Cozy Bear group has been observed using tools and techniques that target groups like government,healthcare and energy organizations. Its most common techniques include scanning (T1595.002) and exploitation (T1190) against vulnerable systems. It’s also associated with the notorious SolarWinds incident in 2021 that resulted in the first ever SEC charges against a CISO. It’s safe to say this bear isn’t hibernating, it’s on the prowl. All honey pots aside, Immersive Labs has a dedicated Threat Actor Lab for APT29 and a wealth of content around other attack types perpetuated by this malicious threat group. Ensure your teams aren’t caught in a bear trap by exploring or revisiting content designed specifically around this cyber espionage group: APT29: Threat Hunting with Elasticsearch Successful cyber threat hunting relies on a combination of information from cyber threat intelligence to detailed event logs via endpoints, network devices, and security tools. This lab collection gives you an opportunity to explore some of these concepts through the lens of an emulated APT29 attack scenario. APT29: Threat Hunting with Splunk These labs follow the same attack path as the above collection, but with different tactical and system focuses, providing an opportunity to explore concepts through the lens of an emulated APT29 attack scenario with Splunk. Brute Ratel: Extracting Indicators of Compromise Brute Ratel C4 is a commercial command and control (C2) framework for adversary simulation and red team engagements. This tool has been observed in the wild being used by nation-state actors, specifically APT29. The following labs are also based on this threat group’s known tactics, techniques, and procedures (TTPs) and exploits. Check them out: CVE-2019-19781 (Citrix RCE) – Defensive CVE-2019-19781 (Citrix RCE) – Offensive CVE-2020-5902 (F5 BIG-IP) – Defensive CVE-2020-5902 (F5 BIG-IP) – Offensive We may be having fun here, but your cyber readiness is no joke. Make sure your teams are up to date on the newest CVEs and that they’re well versed on established threat actors and attack vectors – so your organization stays out of the news 🙅♀️🐻📰 Share your thoughts! Do you like bear-themed articles? Do you plan to assign or bookmark these recommended labs? We’re beary eager for your feedback in the comments below!Patch Tuesday October 2024
CVE-2024-43572 - 7.8 - Microsoft Management Console Remote Code Execution Vulnerability Top of the list for patching should be a vulnerability in the Microsoft Management Console. While the CVSS score is not the highest in the patch notes, it is being actively exploited in the wild by threat actors and warrants immediate attention. While the notes say “Remote code execution” this vulnerability requires user interaction and some degree of social engineering. To exploit this vulnerability an attacker must craft a malicious .msc file that, if opened, will run arbitrary code or commands that allow a threat actor to compromise the host. This file would typically be sent via email as an attachment or as a link to a download. After patching, security teams and threat hunters should proactively check historical logs for indicators of these files being sent and received. Organizations not able to deploy patches quickly across their organization should add additional monitoring and blocking rules targeting these file extensions. The fix deployed by Microsoft prevents untrusted msc files from being executed. CVE-2024-43609 - 6.5 - Microsoft Office Spoofing Vulnerability While not actively exploited in the wild, CVE-2024-43609 should be one to pay closer attention to as Micorosft has listed this one as “Exploitation More Likely”. This vulnerability affects Microsoft office and allows an attacker to gain access to the NTLM credentials of any user interacting with the documents. If an attacker is able to read the NTLM hash, they can use this in a common attack known as “Pass the Hash,” where the attacker could authenticate as the user without knowing their password, which is where the “spoofing” part of the vulnerability description comes from. This type of attack is frequently exploited by threat actors in the wild, leading to remote exploitation. Organizations should follow Microsoft Guidance on blocking outbound SMB ports and configuring Network security policies related to NTLM traffic. CVE-2024-43573 - 6.5 - Windows MSHTML Platform Spoofing Vulnerability This vulnerability has been discovered within the MSHTML platform used by certain Microsoft applications, including Internet Explorer mode in Microsoft Edge. The vulnerability allows an attacker to trick users into viewing malicious web content, which could appear legitimate due to the way the platform handles certain web elements. Once a user is deceived into interacting with this content (typically through phishing attacks), the attacker can potentially gain unauthorized access to sensitive information or manipulate web-based services. Importantly, this attack requires no special permissions or knowledge of the user’s system, making it relatively easy for cybercriminals to execute. Rated at 6.5 out of 10 in severity, the vulnerability has already been exploited by attackers, making it a serious concern for large organisations that still rely on legacy web applications within their environment. For example, many larger and more mature organizations may still use Internet Explorer due to the need for compatibility with certain internal applications. Despite Internet Explorer being retired on many platforms, its underlying MSHTML technology remains active and vulnerable. This creates a risk for employees using these older systems as part of their everyday work, especially if they are accessing sensitive data or performing financial transactions online. To address this issue, Microsoft includes fixes for the MSHTML platform in its Internet Explorer Cumulative Updates. It’s crucial for businesses, especially those with legacy systems, to ensure they apply these updates regularly to remain protected from potential attacks. CVE-2024-43582 - 8.1 - Remote Desktop Protocol Server Remote Code Execution Vulnerability This use-after-free vulnerability in the Remote Desktop Protocol (RDP) service affecting Windows Server and Client from versions 2019 and 10 (1809) onwards which can lead to Remote Code execution, has been patched by Microsoft. Little information is known about the vulnerability, except that it can be exploited by an unauthenticated attacker sending a malformed packet to a RPC host. This could lead to execution with the same permissions as the RPC service. It is assessed that if this description refers to the RPCSS service that whilst the service runs with the permissions of NETWORK SERVICE, privilege to SYSTEM after the fact would be trivial due to permissions afforded to that account and the use of ‘potato’ exploits. It should be assumed that any successful exploitation of this vulnerability will lead to complete compromise of the targeted system and in environments where RDP is heavily used to system management, or where Remote Desktop Gateway (RDG) is used (RDG does allow RPC interaction via HTTP/S) to give users access to secure environments, patching should be considered a priority. Vulnerabilities in RDP are quite rare in nature and Microsoft believes that exploitation is difficult and less likely, but now that details of an issue have been released and experts begin the process of reversing the newly released patches, however it may only be a matter of time before in the wild exploitation is seen. An exploit of this nature will be highly prized by Ransomware Groups, because it allows an attacker total compromise of a system without knowledge of any credentials and, could help them reach high value targets, such as Domain Controllers. It can be used to launch the destructive phase of an attack across the entire domain. CVE-2024-43583 - 6.8 - Winlogon Elevation of Privilege Vulnerability This vulnerability has been identified in the Winlogon process. Winlogon is responsible for handling secure user logins in Windows. This vulnerability, rated 6.8 out of 10 in severity, allows an attacker with local access to a machine to elevate their privileges to SYSTEM level, which is the highest level of access in Windows. This could enable the attacker to take full control of the affected system, manipulate settings, access sensitive data, or install malicious software. Although it is quite uncertain due to the lack of information provided by Microsoft, the local nature of this vulnerability means that the attacker needs physical access to the machine or to be already logged in, making it similar to kiosk breakout scenarios where restricted environments can be bypassed. This makes it a concern for public kiosks, shared computers, or any device that restricts user access but could still be exploited by someone with local access. To protect against this vulnerability, it’s important to ensure that a Microsoft first-party Input Method Editor (IME) is enabled on your device. IMEs are used to input complex characters during the sign-in process, and third-party IMEs could be vulnerable to attack. This is particularly relevant when installing language packs for your keyboard, as some third-party IMEs can be exploited during login. By using a Microsoft IME, one can minimize the risk of this vulnerability being exploited during the sign-in process.Understanding CVE-2024-3094: A Major Software Security Issue in XZ Utils
What is CVE-2024-3094? Recently, a critical security problem, known as CVE-2024-3094, was found in the XZ Utils library. XZ Utils is a set of open-source command-line tools and libraries for lossless data compression on various Linux systems. If your systems are running Linux or Mac, your OS likely uses it in the background when unpacking archives, and even if you’re using Windows, most of your services will use XZ Utils. This code allowed for SSH backdoor access and remote code execution on affected systems, earning a maximum CVSS score of 10. The harmful code was hidden within the XZ Utils software by a ‘trusted’ developer, starting with version 5.6.0. This developer was actually a bad actor who gained the trust of the sole maintainer of the code over many years of social engineering with multiple fake identities created to convince the maintainer that they were trustworthy. To learn more, check out the emails on research.swtch.com . Which Linux systems are affected? The compromised versions of XZ have been found in certain versions of Debian, Kali Linux, OpenSUSE, Arch Linux, and Fedora: Debian: Unstable/Sid versions from 5.5.1alpha-0.1 to 5.1.1-1 Kali Linux: Systems updated between March 26-29, 2024 OpenSUSE: Rolling releases Tumbleweed and MicroOS between March 7-28, 2024 Arch Linux: Versions 2024.03.01, VM images from late February to late March 2024 Fedora: Rawhide and Fedora 40 Beta Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094 How could this security issue be used by bad actors? Attackers could exploit this vulnerability by taking advantage of the backdoor inserted into the XZ Utils library. With this vulnerability, they can: Exploit the backdoor: Using the backdoor, attackers could bypass SSH authentication, allowing them to gain access to the system without needing valid credentials. Elevate privileges: Once inside, attackers could attempt to gain higher-level access, enabling them to control more parts of the system. Establish persistence: Attackers might install persistent malware to maintain access to the compromised system. Spread laterally: From the initial compromised system, attackers could move laterally within the network, targeting other systems and spreading their control. Steal sensitive data: Attackers could access and exfiltrate sensitive data, such as personal information, financial records, or intellectual property. Disrupt operations: By tampering with critical services or data, attackers could disrupt business operations, leading to downtime and financial losses. Deploy ransomware: Attackers could encrypt critical data and demand a ransom for its decryption, causing further damage and financial loss. How to protect your systems To protect your systems from this vulnerability, you should verify if your systems are using the compromised versions of XZ Utils and keep up with the latest advice from vendors. If your systems contain the mentioned versions, make sure you update to at least version 5.6.1-2. You’ll also want to ensure proper security hygiene by keeping all other software up to date with the latest security patches. Finally, make sure your IT and security teams understand this vulnerability, are able to fix it, and know how to respond to potential threats. Conclusion CVE-2024-3094 highlights the importance of securing the software supply chain. By understanding this security issue and taking proactive steps, you can better protect your systems from sophisticated attacks. Keep your systems updated, improve your organizational resilience, and consult with your software vendors for the latest security information. Recommended content If you’d like to know more, we have an XZ Utils Lab in the latest CVEs collection. In the lab, you'll take on the role of a CIRT analyst researching backdoor deployment techniques. Share your thoughts If this vulnerability impacted your organization, what steps did you take to fix it, and what changes have you made to prevent future issues? Comment and collaborate with others in the comments!Understanding CTI and What it Means at Immersive Labs
The essence of cyber threat intelligence CTI involves understanding the who, what, why, and how of cyber threats. It's about transforming data into actionable intelligence, helping organizations anticipate threats, prepare defenses, and respond effectively. Imagine knowing not just that there’s a storm coming but precisely where it’ll hit, how strong it’ll be, and what precautions you need to take – that’s the power of CTI in cybersecurity. How cyber threat intelligence works Generating CTI is a complex process that begins with gathering data from various sources. These include network logs, threat feeds, social media, dark web forums, and cybersecurity agency reports. This raw data is then processed and analyzed for patterns, trends, and indicators of compromise (IoCs) like malicious IP addresses or hash files. Advanced techniques, including machine learning and behavioral analysis, help sift through the noise, turning raw data into meaningful insights. Turning intelligence into action CTI excels by providing context to security alerts, allowing teams to prioritize their responses based on a comprehensive understanding of the threat landscape. For instance, if CTI identifies a malware strain targeting financial institutions, a bank can proactively strengthen its defenses. This enhances protection and improves incident response efficiency, making containment and remediation faster and more effective. So, what is CTI at Immersive Labs? The Immersive Labs CTI team constantly monitors threats that target our customers’ industries. This includes common vulnerabilities and exposures (CVEs), malware campaigns, and new techniques that are likely to affect our customers’ cybersecurity landscape. Once we’ve identified a threat that our customers should protect themselves against, we respond rapidly to create a lab so our customers can stay ahead of the cyber threat landscape. Our labs provide all the information needed to understand and defend against threats, along with practical knowledge for using or analyzing them. It’s a very exciting part of the platform. Up to the release of this blog post, the team has released over 50 CTI labs on threats this year! What more can you expect from us? We know our customers love our CTI labs. Within this community, you can expect: Microsoft Patch Tuesday briefings: Patch News Day – We’ll release a brief about the Microsoft Patch Tuesday vulnerabilities each month. These briefings will help you to understand what new vulnerabilities mean and how they could impact you. New CTI lab releases – We release CTI labs at cyber speed, and you won’t miss a thing. We’ll announce new CTI labs within this community and give quick links to our platform so you can stay as up-to-date as possible! Cyber threat research and intelligence – We complete our own research and often find vulnerabilities in products. We reverse-engineer new malware and analyze new threats seldom discussed elsewhere in the industry. When we do this, we’ll release research articles here so you can go through the journey too. CTI discussions – While we’ll never give answers to labs or guidance on how to complete labs, we welcome vibrant and collaborative discussions about threats in our community forums. We’d love to hear your thoughts and interact with you! Don’t miss a beat Be sure to “follow” The Human Connection blog to receive notifications about new announcements and articles. Share your thoughts Comment below an introduction of yourself and a bit about a threat that you’ve recently analyzed or read about! As more of you introduce yourselves, it’ll be great to see how quickly threats are forgotten and as an industry we move on to the next! We spend a lot of time disseminating threat data to create threat labs for our customers. That means looking across threat actors and the industries they attack. What places have you found are best to collect threat data? Also, have you completed any of our recent threat labs? If so, which one? Was it a malware or CVE lab?Balance Your Business with the Buzz
The question begs for a prioritisation exercise. You need to create a dynamic program structure to address security priorities and the highest-volume threats, while keeping your finger on the pulse. Let’s dig into how you can balance your priorities Balance role-based learning and skills growth with day-to-day job responsibilities. These learning plans often look like a longer-term goal with continuous growth and skills progression. Some of our favourite Immersive Labs Career Paths (courtesy of the man, the myth, the legend ZacharyAbrams, our Senior Cyber Resilience Advisor are: Network Threat Detection Introduction to Digital Forensics Incident Response and Digital Forensics You can also create your own Career Paths! Buzz your team’s interest and pique security knowledge around the top routinely exploited vulnerabilities and priority threats. Latest CVEs and threats This collection should be a holy grail for referencing and assigning labs on the latest and most significant vulnerabilities, ensuring you can keep yourself and your organisation safe. Incorporate trending and priority threats like#StopRansomware with the below collections: Ransomware In this collection, you’ll learn about the different strains of ransomware and how they operate. Malicious Document Analysis Phishing and malicious documents are major malware attack vectors. Learn to analyse various file types and detect hidden malware. Balance out the flurry of CVEs and news trends with timely and relevant industry content: Financial services customers often prioritise Risk, Compliance, and Data Privacy Collections, or our entire Management, Risk, and Compliance path. We also have a great “Immersive Bank” Mini-Series for a simulated red team engagement against a fictitious financial enterprise. The series walks through the various stages of a simulated targeted attack, starting with information gathering and gaining access, before moving to pivoting and account abuse. Automotive customers might be interested in our CANBus collection to learn more about the CANBus technology in modern cars, and the security threats it faces. We’ve also seen interest in our IoT and Embedded Devices collection and OT/ICS For Incident Responders path! Telecommunications customers may be particularly interested in a more timely lab, such as threat actor Volt Typhoon, which recently made headlines with an attack on ISPs. Due to the group's focus on ISPs, telecom, and US infrastructure, we recommend reviewing its TTPs and mapping them against labs in the Immersive Labs MITRE ATT&CK Dashboard. Other threats may be of higher priority for your sector – reach out to your CSM or Ask a Question in the community to learn suggestions from your peers! Buzzabout the latest and most active threat actors and malware because, let's bee real, everyone wants to keep their finger on the pulse of the latest security happenings. Finance, healthcare, defence, government, and national political organisations are on high alert around Iranian-Backed Cyber Activity. The following content on common attack vectors from these groups is valuable to organisations today: IRGC and relevant malware labs: APT35 Peach Sandstorm Tickler Malware Citrix Netscaler CVEs: CVE-2019-19781 (Citrix RCE) – Defensive CVE-2019-19781 (Citrix RCE) – Offensive F5 BIG-IP CVEs: CVE-2022-1388 (F5 BIG-IP) – Defensive CVE-2022-1388 (F5 BIG-IP) – Offensive What would this all look like as part of my program? I like to think of it as a waterfall method, but make sure you consider the overall learning requirement relative to your team’s workloads. Annual: Role-based career paths with a longer duration (doesn’t have to be annual – you can set more frequent targets if that’s better for your team) for completion to meet individual growth and organisation training goals. Quarterly to bi-monthly: ‘Timely training’ with IL Collections or Custom Collections. This might include a mix of “Balance” around industry-relevant content, upskilling to bridge skills gaps, or “Buzzy” content addressing incident retrospective findings that require skills triage, or an industry trend like the rise in Ransomware or Threat Actor risks for your sector, as you reprioritize your internal threat landscape through the year. AdHoc:‘Threat Sprint’ assignments with new CVE and threat actor labs as a small custom collection with 7-10 day turnarounds per 2-3 hours of content to address quick priority topics. Make sure to get feedback from your teams on capacity. But, don’t bee afraid to iterate as you upskill your teams, stay stinger-sharp against adversaries, and hive a great time delivering on the business outcomes your organisation is looking for. Share your thoughts Have you mastered balancing business with the buzz? Comment below with your successes, failures, and ideas for effective balanced cybersecurity upskilling programs! Stay safe out there in the field, and keep an eye out (or five) for new articles based on recent events in the cybersecurity space. Get updated in your inbox on posts like this by "following" The Human Connection Blog!New CTI Lab: CUPS Remote Code Execution Vulnerability – Defensive
You may have heard all the hype about the latest Linux RCE that was supposed to be released on the 6th October. It got leaked and released early! At the actual time of release, there was no active patch; however, a few hours later, there was a patch sent out. The researcher who released it says it is a 9.9 in CVSS (meaning terrifying), but at Immersive Labs, we have likened it more to around 6.8. While the hype is not worth it for this particular vulnerability, there are 300,000 exposed machines on the internet that could be affected by this. What is CVE-2024-47177 – CUPS RCE? It is based on a vulnerability from over a decade ago that was accidentally reintroduced when porting code to a new repository. It takes advantage of the CUPS service, which is Linux's way of printing! There is a default service open to the world running on port 631, meaning anyone can connect and begin this attack. The full RCE is a bit more nuanced as it requires some interaction by a user, but it is still worth knowing due to the hype it has caused. Why should you care? Due to its low complexity and potential reach, this vulnerability might worry our customers who use many Ubuntu Desktops in their business networks. Therefore, we have created a lab on how to threat hunt for this vulnerability and the logging that gets produced once the exploit has been successfully executed. Who is it for? Incident responders SOC analyst Malware reverse engineers CTI Analysts Threat Hunters Complete the CUPS Remote Code Execution Vulnerability Lab hereNew CTI Lab: CVE-2024-30051 (Windows DWM Core Library Elevation of Privilege) – Defensive
CVE-2024-30051 is a zero-day vulnerability discovered in the Windows Desktop Window Manager (DWM) Core Library. Patched as part of the Microsoft patch Tuesday releases, this vulnerability has been observed to be used by threat actors and malware from May 2024 to as recently as September 2024, particularly QakBot. Why have we created this content? Although this vulnerability was reported in May 2024 and patched quickly, exploitation by large malicious threat actors is still being seen. This privilege escalation exploit can be simple to spot for defensive teams. Additionally, a Proof of Concept (PoC) has recently been released, months after the patch, which explains this vulnerability in great detail and comes with the hypothesis that there will be an uptick in exploitation – often is the case when detailed PoCs are released for vulnerabilities. What are we publishing? All customers on a CyberPro License have immediate access to this new lab. CVE-2024-30051 (Windows DWM Core Library Elevation of Privilege) – Defensive Who is this content for? These labs are focused on upskilling and increasing the defensive capabilities of the following roles: SOC Analysts Incident Responders Threat Hunters Malware AnalystsPatch Tuesday June 2024
On the second Tuesday of each month, Microsoft release their security patches for vulnerabilities found in their products. Each month, Immersive Labs' Cyber Threat Research Team review these patch notes for any standout vulnerabilities. You can find their thoughts and findings here.New CTI Labs: Threat Actor - Peach Sandstorm and Tickler Malware
Peach Sandstorm is a suspected Iranian state-sponsored threat actor that primarily targets organizations in the satellite, communications equipment, oil and gas, and federal and state government sectors in the United States and the United Arab Emirates. Why have we created this content? Microsoft recently reported on this threat actor evolving its tradecraft and using a new multi-stage backdoor called Tickler. This threat actor also uses password-spraying to obtain credentials to Azure services to persist and repurpose them into command and control infrastructure. Targets of interest involve the United States, Western Europe, and the United Arab Emirates. What are we publishing? All customers on a CyberPro License have immediate access to these new labs. Threat Actors: Peach Sandstorm Tickler Malware: Analysis Who is this content for? These labs are focused on upskilling and increasing the defensive capabilities of the following roles: SOC Analysts Incident Responders Cyber Threat Intelligence Analysts Threat Hunters Malware Analysts
