CVE-2022-26134 – Confluence Zero Day RCE

We are seeing active exploitation in the wild: MIRAI deployment, coinminer deployments etc.

THIS DOES SHOW IN THE ACCESS LOGS! The comment about “what isn’t in the logs” is about POST request BODY not showing in them, not that nothing is logged

https://www.virustotal.com/gui/file/5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d/community

XMRIG, KINSING, MIRAI etc. are being deployed by threat actors after exploiting this vulnerability.

This is a fast publish

POC is in the wild: https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/

https://github.com/jbaines-r7/through_the_wire

keep checking vendor guidance and keep checking this for updates… use at own risk etc.

Workaround/Hotfixes have been published by Atlassian:

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

https://jira.atlassian.com/browse/CONFSERVER-79000

GreyNoise Tag is online: GreyNoise Trends

Also check this out for scanners: GreyNoise

Nice work https://twitter.com/_mattata and all the other people in the cyber community that are working on this!

IT MAY BE WISE TO ASSUME BREACH

The vulnerability appears to be in: xwork-1.0.3-atlassian-10.jar

Background

Velocity discovers a zero-day in confluence 03/06/2022 (GMT)

.@Volexity discovers zero-day exploit impacting all current versions of Atlassian Confluence Server and Data Center. Attackers deploy in-memory Java implant to evade detection. Read more in our latest blog post: https://t.co/aCSwnSUfj8 #DFIR #ThreatIntel #InfoSec
— Volexity (@Volexity) June 2, 2022

Guides

Cyber Essentials Readiness

So, you have a driver to achieve cyber essentials, great stuff. Now if you are a business of reasonable size and scale this activity requires a bit of planning, context and lots of access and data. This could be via a distributed team or via a dedicated project team. In this post I’m going to look at what you may need to conduct the planning, discovery, assessment, and certification for Cyber Essentials and/or CE+.

Guides

Cyber Essentials – Out of the Box

New machines means it’s easy right?

Ok, another post on cyber essentials! I talk about this quite a lot (mainly driven by procurement requirements rather than orgs expressing a deep desire to “have better security” (which is a shame)) however, I want to show people what the real world is like and that meeting cyber essentials is a good thing, but also to look at real world challenges of meeting the standards. In this post we look at some thought provoking questions, then we look at an out of the box Windows and MAC device to see if they meet the standard!

Guides

Wireguard Client for Linux on KALI

So as always there are a million things in tech and well it’s rare that someone knows EVERYTHING. I must connect to a Wireguard VPN from a KALI VM. Should be simple, well actually it was a bit more complicated as I had two errors along the way!

Defence

CVE-2022-22972 & CVE-2022-22973

More VMware Workspace One Vulns

This is a fast publish

Vmware just released patches for two new vulnerabilities in Workspace One, followed by guidance from CISA to patch by May 23^rd or remove the devices from the network/internet!

“All Federal Civilian Executive Branch agencies must complete the following actions:

By 5:00 PM EDT on Monday, May 23, 2022:

Enumerate all instances of impacted VMware products [VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager] on agency networks.

Defence

The Challenges of Cyber Essentials Audit and Compliance Activities

It’s “only” essential but it can be bloody difficult!
mRr3b00t

Cyber Essentials Areas

Cyber Essentials is a minimum baseline standard for ensuring foundational cyber security considerations and controls are in place. It’s a good starting point, but by no means should it be “THE GOAL” and just because it has “Essentials” in its name, don’t think it’s easy to comply with. Whilst the standard isn’t outlandish with its requirements in the main, the reality between technical capabilities and being able to discover, audit and remediate security configurations in organisations is often nowhere near as simple as someone may tell you. The news here is that the standard has been extended to include some wider areas.

Defence

The Director of GCHQ speaks at CyberUK 2022

Sir Jeremy Fleming was speaking at CyberUK, the UK’s flagship cyber security conference this week.

The full presentation is here but I’ve picked out some key highlights.

“Of course, we can count ourselves lucky compared to those caught up in wars, but we are also seeing a heightened cyber risk. Cyber criminals are consistently evolving their tactics; the lines are blurring with hostile state activity and ransomware remains a real threat.”

“Cyber clearly matters to everyone.”

“At the global level, the UK has developed as a cyber power. Alongside the more traditional forms of diplomacy and statecraft, cyber now plays a vital role in our national security and prosperity.”

Leadership

Security Myths and Bad Advice

It must be good, someone posted about it on LinkedIn!

Ok this isn’t my normal jam, normally I’d just write something that’s hopefully good advice/practise and that would be that. But today let’s try something different!

This was inspired by a twitter convo which evolved into this: https://twitter.com/UK_Daniel_Card/status/1522138771789123584?s=20&t=dL9OkicTY2Orj5hfBtDvVQ

So… what are some cyber security myths that ended up being good practise or “good advice”? Well here’s what I came up with, supported by some awesome cyber community people!

Leadership

Cyber Events vs Incident vs Attack

Cyber Events

Yesterday I was asked about “attack volumes” I see in the PwnDefend HoneyNet and it reminded me about what people think an “ATTACK” is and therefore spring my brain into thinking about how we as an industry communicate. Far too often I see “number of ATTACKS” being used my marketing/sales etc. where the numbers are simply ridiculous and not reflective of how offensive cyber operations actually work.

Let’s look at some examples:

“Gov. Greg Abbott warns Texas agencies seeing 10,000 attempted cyber attacks per minute from Iran”
Gov. Greg Abbott – article in the Texas Tribune by CASSANDRA POLLOCK

Leadership

Tabletop: “you have 400 servers; 800 users and your…

CISO Tabletop Scenario Intro

I thought it would be fun to explore what people do with regards to Cyber Securityleadeship, budgets, contraints and realities of business change. So here’s a blog post to supliment my thread on twitter:

MrR3b00t | #StandWithUkraine #DefendAsOne on Twitter: “Tabletop: you have 400 servers, 800 users and your cyber security budget is 100K…. what do you do? https://t.co/Nw0Pd7rH8L” / Twitter

please note: the list below is based on experiance, it’s also a list I made whilst drinking about half a cup of tea so it’s not complete or “the answer” it’s just some observations about an approach I advocate.