CVE-2024-5910: Understanding the Critical Expedition Vulnerability
CVE-2024-5910 is a critical vulnerability in Palo Alto Networks' Expedition tool, widely used for firewall configuration migrations. The flaw, stemming from missing authentication for a critical function, allows attackers with network access to the Expedition interface to gain administrative privileges without authorization. This issue (which has a CVSS score of 9.3!) represents a significant security risk, particularly for organizations using Expedition to manage sensitive configuration data. What is Expedition? Expedition simplifies the migration of firewall configurations from third-party systems to Palo Alto Networks devices. This process often involves importing sensitive credentials, secrets, and configurations, making the tool's security paramount. Exploit details The vulnerability could be exploited by sending crafted requests to reset the administrator password, granting attackers access to the system. Once inside, malicious actors could extract sensitive information, tamper with configurations, or launch further attacks against connected systems. Public proof of concept (PoC) code for exploiting this vulnerability is now available, increasing the urgency of mitigation measures. Which systems are affected? This vulnerability affects Expedition versions before 1.2.92, as detailed inthe advisory from Palo Alto Networks. Systems that expose Expedition to the internet are at heightened risk, with recent scans identifying several instances accessible online. Mitigation steps Update Expedition: Upgrade to version 1.2.92 or later, where the vulnerability has been patched. Restrict access: Ensure that network access to the Expedition tool is limited to trusted hosts and users. There’s no valid reason for the tool to be accessible from untrusted networks. Change credentials: Rotate all administrator passwords, API keys, and firewall credentials processed through Expedition to mitigate potential compromises. Monitor for indicators of compromise (IoCs): Look for unusual activities in logs or changes to configurations, which may indicate exploitation. Recommended content To learn more about this vulnerability by interacting with it in a sandboxed environment, we have both offensive and a defensive labs in the platform. Theoffensive scenarioallows you to perform the exploitation using the PoC, whereas ourdefensive scenarioupskills users by describing how to identify the IoCs – giving participants a deep understanding of how the exploit would appear in their environment. To find these labs and others, simply type the relevant CVE number into theImmersive Labs Search Bar. Final thoughts CVE-2024-5910 underscores the importance of promptly addressing vulnerabilities in tools that manage critical infrastructure configurations. Organizations should also stay on top of new and emerging threats, patch affected systems immediately, and follow best practices for securing administrative tools like Expedition. Using the Immersive Labs platform, organizations can gain a deep understanding of the most critical vulnerabilities and exploits and prepare for them in a practical and safe setting. For more details from the affected vendor, refer to the officialPalo Alto Networks security advisory.27Views0likes0CommentsNew CTI Lab: Xworm: Analysis
Xworm is a piece of malware that was first discovered in 2022being used by threat actors likeNullBulgeandTA558. Xworm is a remote access trojan (RAT). Attackers deploy it onto compromised machines to steal data, facilitate remote code execution through shell access, and tamper with native security solutions like Microsoft Windows Defender, ready for other malware to be dropped and executed on a machine. Why have we created this content? Xworm is a commodity piece of malware that has been observed in the wild and has previously been observed being sold on hacker forums to opportunistic cybercriminals. Recently, cracked versions of this malware have been leaked to VirusTotal, GitHub, and other repositories. This content provides a unique look into commodity malware, how it's designed, and what to look out for when coming across it. What are we publishing? All customers on a CyberPro License have immediate access to a new lab. Xworm: Analysis Who is this content for? This lab is focused on upskilling and increasing the defensive capabilities of the following roles: Incident Responders Malware Analysts Reverse Engineers SOC Analysts Cyber Threat Intelligence Analysts We are also hosting a webinar! Come and see what we do as a CTI team and how we help cyber teams with their real-world threat preparedness!23Views1like0CommentsNew CTI Labs: CVE-2024-0012 and CVE-2024-9474 (Palo Alto PAN-OS) – Offensive and Defensive
Today, we’ve released two brand-new labs focusing on defending against and exploiting two new vulnerabilities in Palo Alto Firewalls! Learn how to attack a Palo Alto Firewall by exploiting these vulnerabilities, as well as how to identify attack remnants and detect them effectively.61Views3likes0CommentsBalance Your Business with the Buzz
The question begs for a prioritisation exercise. You need to create a dynamic program structure to address security priorities and the highest-volume threats, while keeping your finger on the pulse. Let’s dig into how you can balance your priorities Balance role-based learning and skills growth with day-to-day job responsibilities. These learning plans often look like a longer-term goal with continuous growth and skills progression. Some of our favourite Immersive Labs Career Paths (courtesy of the man, the myth, the legend ZacharyAbrams, our Senior Cyber Resilience Advisor are: Network Threat Detection Introduction to Digital Forensics Incident Response and Digital Forensics You can also create your own Career Paths! Buzz your team’s interest and pique security knowledge around the top routinely exploited vulnerabilities and priority threats. Latest CVEs and threats This collection should be a holy grail for referencing and assigning labs on the latest and most significant vulnerabilities, ensuring you can keep yourself and your organisation safe. Incorporate trending and priority threats like#StopRansomware with the below collections: Ransomware In this collection, you’ll learn about the different strains of ransomware and how they operate. Malicious Document Analysis Phishing and malicious documents are major malware attack vectors. Learn to analyse various file types and detect hidden malware. Balance out the flurry of CVEs and news trends with timely and relevant industry content: Financial services customers often prioritise Risk, Compliance, and Data Privacy Collections, or our entire Management, Risk, and Compliance path. We also have a great “Immersive Bank” Mini-Series for a simulated red team engagement against a fictitious financial enterprise. The series walks through the various stages of a simulated targeted attack, starting with information gathering and gaining access, before moving to pivoting and account abuse. Automotive customers might be interested in our CANBus collection to learn more about the CANBus technology in modern cars, and the security threats it faces. We’ve also seen interest in our IoT and Embedded Devices collection and OT/ICS For Incident Responders path! Telecommunications customers may be particularly interested in a more timely lab, such as threat actor Volt Typhoon, which recently made headlines with an attack on ISPs. Due to the group's focus on ISPs, telecom, and US infrastructure, we recommend reviewing its TTPs and mapping them against labs in the Immersive Labs MITRE ATT&CK Dashboard. Other threats may be of higher priority for your sector – reach out to your CSM or Ask a Question in the community to learn suggestions from your peers! Buzzabout the latest and most active threat actors and malware because, let's bee real, everyone wants to keep their finger on the pulse of the latest security happenings. Finance, healthcare, defence, government, and national political organisations are on high alert around Iranian-Backed Cyber Activity. The following content on common attack vectors from these groups is valuable to organisations today: IRGC and relevant malware labs: APT35 Peach Sandstorm Tickler Malware Citrix Netscaler CVEs: CVE-2019-19781 (Citrix RCE) – Defensive CVE-2019-19781 (Citrix RCE) – Offensive F5 BIG-IP CVEs: CVE-2022-1388 (F5 BIG-IP) – Defensive CVE-2022-1388 (F5 BIG-IP) – Offensive What would this all look like as part of my program? I like to think of it as a waterfall method, but make sure you consider the overall learning requirement relative to your team’s workloads. Annual: Role-based career paths with a longer duration (doesn’t have to be annual – you can set more frequent targets if that’s better for your team) for completion to meet individual growth and organisation training goals. Quarterly to bi-monthly: ‘Timely training’ with IL Collections or Custom Collections. This might include a mix of “Balance” around industry-relevant content, upskilling to bridge skills gaps, or “Buzzy” content addressing incident retrospective findings that require skills triage, or an industry trend like the rise in Ransomware or Threat Actor risks for your sector, as you reprioritize your internal threat landscape through the year. AdHoc:‘Threat Sprint’ assignments with new CVE and threat actor labs as a small custom collection with 7-10 day turnarounds per 2-3 hours of content to address quick priority topics. Make sure to get feedback from your teams on capacity. But, don’t bee afraid to iterate as you upskill your teams, stay stinger-sharp against adversaries, and hive a great time delivering on the business outcomes your organisation is looking for. Share your thoughts Have you mastered balancing business with the buzz? Comment below with your successes, failures, and ideas for effective balanced cybersecurity upskilling programs! Stay safe out there in the field, and keep an eye out (or five) for new articles based on recent events in the cybersecurity space. Get updated in your inbox on posts like this by "following" The Human Connection Blog!76Views6likes3CommentsPatch Tuesday November 2024
CVE-2024-49039 - 8.8 - Windows Task Scheduler Elevation of Privilege Vulnerability Microsoft has released an official patch for this vulnerability because the exploit code found is functional and has been used in the wild. The Windows Task Scheduler is a built-in utility in Microsoft Windows that allows organizations to automate and schedule tasks or scripts to run at specific times, during specific events, or under certain conditions. It enables users and administrators to automate repetitive tasks, making it easier to manage various operations on a computer or network. While a POC has not been publicly released for this vulnerability, exploitation has been detected. An attacker can perform this exploit as a low-privileged AppContainer and effectively execute remote procedure calls (RPCs) that should be available only to privileged tasks. It is unclear what RPCs are affected here, but it could give an attacker access to elevate privileges and execute code on a remote machine, as well as the machine in which they are executing the vulnerability. CVE-2024-5535 - 9.1 - OpenSSL: CVE-2024-5535 SSL_select_next_proto buffer overread This OpenSSL vulnerability has been in OpenSSL since 2011 and has only recently been patched. Windows is releasing its fix for the Microsoft Defender Endpoint. It is rated 9.1 and has a few write-ups on the internet describing this vulnerability in depth. However, it does require the user to download a file from something like an email and have Defender “inspect” it to achieve code execution. CVE-2024-43639 - 9.8 - Windows Kerberos Remote Code Execution Vulnerability This is one of the most threatening CVEs from this patch release because it is related to Kerberos, an authentication protocol used heavily in Windows domain networks. The vulnerability allows an unauthenticated attacker to perform remote code execution against a vulnerable target inside a Windows domain. Windows domains are used in the majority of enterprise networks, and by taking advantage of a cryptographic protocol vulnerability, an attacker can perform privileged acts on a remote machine within the network, potentially giving them eventual access to the domain controller, which is the goal for many attackers when attacking a domain. CVE-2024-49033 - 7.5 - Microsoft Word Security Feature Bypass Vulnerability This vulnerability targets Microsoft Office Protected View, allowing an attacker to bypass this security feature designed to protect users from potentially unsafe files. Protected View is a read-only mode that restricts editing and certain functionality in files downloaded from untrusted sources, such as email attachments or web links, to prevent malicious actions. By exploiting this vulnerability, an attacker could craft a malicious Word document capable of bypassing Protected View, enabling harmful actions to run on the victim’s machine if opened. A successful attack requires several specific steps due to the high complexity of the environment-specific requirements, as indicated by a high CVSS Attack Complexity score (AC). Because user interaction is required (UI), the attacker cannot force the user to open the file; instead, they must convince the victim to click on the link and open the document, often using persuasive language or enticements. If the user opens the crafted file, the protections of Protected View will be bypassed, potentially allowing malware to execute commands such as traditional VBA code and compromise the system. Depending on the attacker's objectives and the victim's environment, this could result in data exposure, unauthorized access to sensitive information, or broader system compromise. CVE-2024-49019 - 7.8 - Active Directory Certificate Services Elevation of Privilege Vulnerability This Active Directory Certificate Services (AD CS) elevation of privilege vulnerability allows an attacker to gain domain administrator privileges if successfully exploited. The vulnerability exists in managing certificates issued by a PKI (Public Key Infrastructure) environment using certain misconfigured certificate templates. To determine if your PKI environment is vulnerable, check whether any certificates have been published using a version 1 certificate template where the source of the subject name is set to "Supplied in the request" and enroll permissions are granted to a broader group, such as domain users or domain computers. This is typically a misconfiguration, and certificates created from templates like the Web Server template could be affected. However, the Web Server template is not vulnerable by default because of its restricted enroll permissions. The vulnerability targets certificates created using a version 1 certificate template with "supplied in the request" as the subject name source. If these templates are not properly secured — according to the best practices outlined in Microsoft's Securing Certificate Templates documentation — attackers can abuse the template’s permissions and elevate their privileges, potentially gaining domain administrator access. This vulnerability has been slated as more likely to be exploited. Because it is related to Windows domains and is used heavily across enterprise organizations, it is very important to patch it and look for misconfigurations that could be left behind. CVE-2024-43451 - 6.5 - NTLM Hash Disclosure Spoofing Vulnerability This Microsoft Patch Tuesday release includes an NTLM Hash Disclosure Spoofing Vulnerability (CVE-2024-43451). Although tagged at a moderate severity level with a CVSS score of 6.5, it's important to note that details regarding this security vulnerability have been publicly disclosed, and instances of its exploitation have been confirmed. So users should take immediate action to mitigate potential risks. Further, the Microsoft advisory released today outlines that the CVE-2024-43451 only needs minimal user interaction with a malicious file, which can include either clicking or inspecting it. This action could disclose a user's NTMLv2 hash to the attacker, potentially compromising confidentiality and allowing the hacker to authenticate as the user. The affected versions are all of the supported versions of Microsoft Windows. CVE-2024-43642 – 7.5 - Windows SMB Denial of Service Vulnerability Microsoft has flagged a new security vulnerability, CVE-2024-43642, in its Windows Server Message Block (SMB). SMB is a network protocol primarily used for sharing access to files, printers, serial ports, and other communications between nodes on a network. This vulnerability could potentially lead to a Denial of Service (DoS), which, if exploited, could disrupt the normal functioning of a service or system. The vulnerability follows the 'Use-After-Free' threat model, categorized as CWE-416. It indicates that specific program operations could cause memory spaces to be improperly accessed after being freed. According to Microsoft's rubric, with a CVSS v3.1 score of 7.5/6.5, this vulnerability is assigned an 'Important' severity rating, pointing towards the potential for considerable affected system disruption and possible downtime. CVE-2024-43602 – 9.9 – Azure CycleCloud Remote Code Execution Vulnerability CVE-2024-43502 is related to Azure CycleCloud, an orchestration and management tool often used for High-Performance Computing (HPC). This vulnerability entails an instance of CWE-285: 'Improper Authorization' and carries a CVSS rating of 9.9/8.6. At the time of writing, Microsoft's exploitability assessment on this one is ‘Exploitation Less Likely’, albeit the attack complexity is outlined as Low. To exploit this vulnerability, an attacker with basic user permissions could send specially crafted requests to alter the configuration of an Azure CycleCloud cluster, thereby gaining root-level permissions. Consequently, the attacker could execute commands on any Azure CycleCloud cluster within the instance and, in specific scenarios, compromise administrative credentials. Despite this, the vulnerability is currently unexploited.65Views1like0CommentsNew CTI Lab: CRON#TRAP – Linux Environment Emulation
On November 4, 2024,Securonix published researchand identified a novel attack chain where attackers deploy a custom Linux machine using the QEMU emulation service to persist on endpoints, allowing them to run commands and deliver malware. Why have we created this content? Given that this technique is quite new and novel, this content was created to educate users on how legitimate tooling, like virtual environments, can be abused by attackers. When the user is tricked into opening a .lnk file, the virtual machine starts and mounts to the host, giving backdoor access to an endpoint that almost acts as a proxy. What are we publishing? All customers on a CyberPro License have immediate access to a new lab. CRON#TRAP – Linux Environment Emulation Who is this content for? This lab is focused on upskilling and increasing the defensive capabilities of the following roles: Incident Responders Threat Hunters Malware Analysts38Views3likes1CommentNew CTI Labs: Cobalt Strike Host Forensics and SIEM Analysis
Cobalt Strike is an adversary simulation tool developed by Fortra. Cobalt Strike was designed to be used by professional red teams to perform post-exploitation actions such as enumerating file systems, elevating privileges, and deploying malware. Despite being designed for red teams, threat actors often use both licensed and unlicensed (cracked) versions of Cobalt Strike for malicious intentions. Why have we created this content? A recent report again stated that Cobalt Strike is the C2 framework of choice by hackers around the world. We previously had no labs covering how to identify and defend against this C2 framework. Therefore, as we have with Havoc and Sliver, we have released labs based on analysis of its activities in networks and on a host and created and released volatility plugins to help defensive teams in their own analysis. What are we publishing? All customers on a CyberPro License have immediate access to two new labs. Threat Research: Cobalt Strike C2 – Host Forensics Threat Research: Cobalt Strike C2 – SIEM Analysis Who is this content for? These labs are focused on upskilling and increasing the defensive capabilities of the following roles: SOC Analysts Incident Responders Threat Hunters Malware Analysts62Views3likes2CommentsCVE-2024-30051: What You Need to Know
What is CVE-2024-30051? CVE-2024-30051 is a vulnerability in the Microsoft Windows Desktop Window Manager (DWM) Core Library that allows attackers to gain SYSTEM-level privileges and execute arbitrary code, giving them extensive control over the compromised system. Which systems are affected? CVE-2024-30051 impacts a broad range of Windows systems, including: Windows 10 (various versions) Windows 11 (various versions) Windows Server 2016 and later versions For a precise list of affected product configurations, check out the NIST National Vulnerability Database. How could bad actors use this security issue? Attackers have already exploited CVE-2024-30051 in real-world attacks, using it to distribute Qakbot malware via malicious email attachments or compromised websites. Once the malicious code is executed, the vulnerability is used to escalate privileges, allowing deep system access for installing more malware, stealing sensitive data, or taking full control of the system. How to protect your organisation The simplest and most obvious method is to apply the latest Windows security updates as soon as they become available. Microsoft released patches addressing CVE-2024-30051 as part of its May 2024 Patch Tuesday updates. Organisations and users are strongly advised to apply these patches immediately to protect their systems from potential exploitation. To verify if you've been affected by this vulnerability, analyse your logs for suspicious activity. Specifically, look for DLLs loaded from locations outside of system32 by legitimate Windows processes, as this may indicate the CVE-2024-30051 exploit has been used to load a malicious DLL. Additionally, to mitigate against future vulnerabilities, educate users about the risks of phishing and malware. Qakbot is often spread through email attachments or malicious websites. Educate users about the risks of opening attachments from unknown senders or clicking on suspicious links in emails. Conclusion CVE-2024-30051 highlights the importance of cybersecurity awareness and proactive measures as it can be mitigated with organisational cyber awareness and regular patching policies. As always, staying informed about potential vulnerabilities is crucial to mitigating such risks. Recommended content If you’d like to learn how to detect this vulnerability in a sandboxed environment, check out our CVE-2024-30051 lab. In this lab, you'll threat hunt through a SIEM system to identify indicators of compromise (IoCs). Don’t forget you can seek help and collaboration with this lab content in our Help & Support Forum! Share your thoughts If CVE-2024-30051 has impacted your organization, we’d love to hear about your steps to mitigate the risk. Do you have any recommendations for preparing for similar vulnerabilities in the future?52Views1like0CommentsNew CTI Labs: Palo Alto Expedition Critical Vulnerabilities
CVE-2024-5910 (Palo Alto Expedition) - Defensive Identify signs of exploitation in event logs and extract indicators of compromise CVE-2024-5910 (Palo Alto Expedition) - Offensive Use publicly available Proof of Concept code to exploit the vulnerabilities gaining access to sensitive data What is Expedition and Why should you care? The flaws were found in Palo Alto Networks' Expedition solution, which helps migrate configurations from other Checkpoint, Cisco, or supported vendors. This application can be exploited to access sensitive data, such as user credentials, that can help take over firewall admin accounts significantly impacting the security of an organisations network. These labs provide steps to identify any potential signs of exploitation and detail how the exploit functions. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Red Teams Pen testers Offensive Security professionals Complete CVE-2024-5910 (Palo Alto Expedition) - Defensive here Complete CVE-2024-5910 (Palo Alto Expedition) - Offensive here46Views4likes0Comments