Working out what exploits to care about is a tough job, kill chains, availability of exploits, complexity, data flows, controls etc. all play a part in understanding a vulnerability and how it affects your organisational risk. To support this effort I’ve started to compile a list of public exploits against CISA Known Exploited Vulnerabilities (KEV). This may be useful for defensive and offensive security pros.Read more “Offensive KEV Alpha 0.1”
When you gain access to a target node you will want to explore, the exact method you use to do this will depend upon operational security considerations, time constraints and style. You will be looking for a range of elements to support progressing an objective.
It should be noted that the objective may NOT require elevation. You may be trying to obtain data and access might already be possible using the context you have assumed.
You also may need to move from a www-data user to a named user account or get to root level of access. If so there’s a range of questions we should be asking ourselves:Read more “Linux Privilege Escalation”
Life in the vulnerability and exploit space is never dull
Spotted on twitter (thanks Danny!):
CISA updates the known exploited vulnerabilities list (KEV) yesterday with another 38 updates!
That means an update is required for OFFESNIVE KEV!Read more “Offensive KEV Updates! CISA releases 38 more CVEs to KEV”
There’s thousand of vulnerabilities, but do you ever struggle work out what ones might actually be useful to you if you are defending or attacking?
Well don’t worry I’ve started to document some things that might help you both attack and defend in CYBERSPACE!Read more “PWNDEFND: Known Exploitable Vulnerabilities (KEV) – AKA: Offensive KEV”
Useful for a range of defensive and offensive purposes, internet asset search platforms enable a range of activities from:
- Research & Trend Analysis
- Vulnerability Hunting
- Attack Surface Mapping
Each has its own interfaces, features, dataset sand styles.
I’ve put together a list of the most popular, there may be more that I haven’t listed.Read more “Passive Port Scanners & Internet Asset Discovery Platforms”
More VMware Workspace One Vulns
This is a fast publish
Vmware just released patches for two new vulnerabilities in Workspace One, followed by guidance from CISA to patch by May 23rd or remove the devices from the network/internet!
“All Federal Civilian Executive Branch agencies must complete the following actions:
By 5:00 PM EDT on Monday, May 23, 2022:
Enumerate all instances of impacted VMware products [VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager] on agency networks.Read more “CVE-2022-22972 & CVE-2022-22973”
Protecting admin interfaces is a really good idea, network segmentation however is one thing that many organisations struggle with. Most networks are what we call flat. They may be carved up into VLANs but generally speaking, in a lot of networks if you are “inside” then you have full access across the TCP/IP space.
Now here we are talking about the internal attack surface, so a threat actor would need network routable access which should not be the case for things like vcenter interfaces from the internet, however it appears that’s not really exactly how the world works.
Let’s look in Shodan! Read more “CVE-2021-22005 – vCenter RCE”
This is a big thing in the Exchange world from my POV! I believe this is dropping sometime today (28th September!)
Exchange OWA, ECP etc. are exposed online not only for mailbox access, calendar sharing but also are a requirement for hybrid mode sync capabilities.
Vulnerabilities in Exchange this year (ProxyLogon/ProxyShell) have shown how problematic an attack surface this is. The good news is, Microsoft have created a feature for Exchange to help mitigate these attacks in the future via the EM Service!Read more “Exchange Emergency Mitigation Service with new CU Update”
Ok so the situation is as per usual a bit fluid, when this first dropped I was looking at this with a “azure” lense, however as time goes on it appears this likely also covers any Linux distro with the Azure/SCOM/OMS agents installed. This may change the profile of risk considerable, not only from a public facing attack surafce but highly likely from a lateral movement persspective. I’m going to keep updating this as more intel comes in. (sorry I’d be clearer if I had a clearer picture myself)
This week 4 vulnerabilities were disclosed which affect
Azure virtual machines running the Open Management Infrastructure (OMI) agent (think PowerShell remoting). As above the scope seems to be slightly wider with regard to SCOM/AZURE and OMS/Sentinel etc. agents for Linux (I want to confirm all of this but for now it seems this is the position)
Essentially these vulnerabilities allow for both network-based remove code execution (RCE) and local privilege escalation (LPE).
- There is evidence of exploitation in honeypots.
- There is a public proof of concept available for the RCE.
- The internet facing attack surface from a global perspective seems low based on the data in Shodan and Censys however I’m not convinced this is currently giving a clear picture.
- So, check your azure networks, Vms and firewalls would be a sensible idea
Everything is much worse now, or is it?
”The world is burning, the world is burning but then if you look around, it always has been…”
Computer systems and security go together much like chalk and cheese! Probably sounds a bit odd but miniaturization, consumerization and mobility have put more technology out in the world than we can really comprehend, yet technology security is still dramatically overlooked by most organizations.
The insane pace of change, the drive for faster, better, cheaper and the reality that it probably isn’t a stretch to say most people (and organizations) do not really understand what ‘secure’ or ‘hardened’ looks like.Read more “Ransomware Realities”