CVE-2021-22005 – vCenter RCE

Introduction

Protecting admin interfaces is a really good idea, network segmentation however is one thing that many organisations struggle with. Most networks are what we call flat. They may be carved up into VLANs but generally speaking, in a lot of networks if you are “inside” then you have full access across the TCP/IP space.

Now here we are talking about the internal attack surface, so a threat actor would need network routable access which should not be the case for things like vcenter interfaces from the internet, however it appears that’s not really exactly how the world works.

Let’s look in Shodan! Read more “CVE-2021-22005 – vCenter RCE”

Defending against authentication attacks

Ok so my most popular blog on pwndefend is about using Hydra… so I guess that’s all the goodies using it for good things, right? Probably not but it does help people understand the weaknesses of single factor authentication systems without supplementary controls.

So, let’s look at authentication defences, but let’s do this from an attacker perspective! (The opposite of what helps an attacker usually helps defend). Crazy madness right, let’s get to it!

Foundations of Sand

Ok so authentication is a key security control in computer systems. To understand the challenge around authentication and think it’s all a technical problem is to error.

See most modern computer systems require at least two things to authenticate:

  • A Username
  • A Password

Read more “Defending against authentication attacks”

Exchange Emergency Mitigation Service with new CU Update

This is a big thing in the Exchange world from my POV! I believe this is dropping sometime today (28th September!)

History

Exchange OWA, ECP etc. are exposed online not only for mailbox access, calendar sharing but also are a requirement for hybrid mode sync capabilities.

Vulnerabilities in Exchange this year (ProxyLogon/ProxyShell) have shown how problematic an attack surface this is. The good news is, Microsoft have created a feature for Exchange to help mitigate these attacks in the future via the EM Service!

Read more “Exchange Emergency Mitigation Service with new CU Update”

Cyber Security Tips – Keeping your digital self, safe!

Not even most of my digital life is in the enterprise security space, whilst this is great if you have access to technology budgets, security specialists and modern business class solutions, this doesn’t really fit into the general populations landscape of technology. I thought I’d take a high-level exploration of what digital security looks for people who aren’t security nerds! This is a bit of an experiment for me as it’s a journey into a world where although some things apply to me (obviously I’m human), some of this from a thinking/blogging point of view aren’t my comfort space. So, let’s see what a world outside of being a nerd look like!

Commons Risks

I’m thinking the risk landscape is still broad however when we think about risks, I reckon a general view model may look at some of the following scenarios:

  • Fraud/Scams
  • Sextortion
  • Phishing
  • Social Media Account Takeover
  • Device Theft
  • Device Loss
  • Equipment Failure/Data Loss
  • Threat from known individuals with physical access
  • Human Error

Read more “Cyber Security Tips – Keeping your digital self, safe!”

Risk management is easy! Isn’t it?

Information security theory and practises use a commonly understood and simple range of tools, methods, and practises to help organisations understand their risk portfolio and to enable them to make both strategic and tactical investment decisions….

Ok someone pinch me. this simply isn’t the reality I see on the ground. The theory is vast, complex and there are a multitude of good/best/insert phrase frameworks and tools that you can leverage to map, model, and communicate risks, vulnerabilities, controls, threats etc.

I’m not going to do a detailed analysis and comparison of different models here, but I am going to at least give people a view of some of the tools and frameworks that you can and may likely experience in the cyber security world. Read more “Risk management is easy! Isn’t it?”

Exposed VMWARE vCenter Servers around the world (CVE-2021-22005)

There’s a new CVE in town but don’t think it’s the only problem you get when you expose administrative interfaces to the wild west of the internet (yeeha or something). Let’s go on a quick exploration of what the world looks like with the help of our friends at Shodan and then let’s see the ramblings of Dan when looking at how benign enumeration and exploration of services can work. Let’s get started looking at the world, a quick face analysis on Shodan with vmware as a product shows a hit or two, what we are going to focus on is vCenter but you know.. you might want to review your attack surfaces so any exposed services (damn people expose some risky stuff!) Read more “Exposed VMWARE vCenter Servers around the world (CVE-2021-22005)”

CAF Workbook

Undertsanding the current state of cyber capability maturity across an organisation is no simple feat. The team at NCSC have created a really good set of guidance with CAF. With all things there’s different ways on consuming, understanding and leveraging good practises.

I often find have XLS workbooks incredibly valuable when looking at indicators of good practise inside organisations. With this in mind, I started to put the GAF indicators into a workbook. This isn’t complete yet. It needs refactoring so it can be pivoted etc. It also needs some parts added for metadata capture and analysis.

I’m publishing this because sitting collecting virtual dust is probably the least valuable thing that can occur.

Hopefully this is helpful to people, even in it’s current half baked state. I’ll and complete this at some point!

Read more “CAF Workbook”

Post Compromise Active Directory Checklist

Nuke it from orbit, it’s the only way to be sure!

Ok, in an ideal world you can re-deploy your entire environment from scratch, but back in the most people’s real world’s that’s not that simple. So, what do we do if we can’t nuke from orbit in a post compromise situation? Well, we need to clean up! This isn’t an exhaustive list, not a total guide. it’s a quick list to make you think about some key common areas and actions that might need to be taken! after all if someone got r00t, who knows what they did! (trust me, most orgs monitoring is a bit naff!)

Read more “Post Compromise Active Directory Checklist”

Vulnerability Management – Actually doing it!

Vulnerability Management, Assessments and Vulnerability scanning is sometimes treated a with distain in the Offensive security community, I personally don’t understand that. Vulnerability management is key to inputting into security strategy, architecture, and operations. It’s coupled heavily to many other processes such as:

  • Asset Management
  • Risk Management
  • Patch Management
  • Change & Release Management
  • Security Testing
  • Security Monitoring

Before we start deploying let’s think about some areas for consideration when performing vulnerability scans:

  • Scope
    • Asset/Hosts
      • IP Ranges
      • Hostnames
    • Connectivity
      • VPNs
      • LAN/WAN
    • Device Types and Configuration
      • Domain
      • Workgroup
      • Appliance
      • ICS
      • Printers
      • Network Equipment
    • Unauthenticated View
    • Authenticated View
      • Auth Types
      • Protocols
    • Scheduling
    • Authority to execute
  • Impact
    • Performance
    • Availability
    • Confidentiality
  • Objectives and Outcomes
  • Reporting
    • Information Flow
    • Report Storage and Confidentiality

Read more “Vulnerability Management – Actually doing it!”

Copyright (c) Xservus Limited