Citrix released builds to fix CVE-2022-27518, which affects the following Citrix ADC (formerly NetScaler) and Citrix Gateway versions: 12.1 (including FIPS and NDcPP) and 13.0 before 13.0-58.32 of Citrix ADC and Citrix Gateway, both of which must be configured with an SAML SP or IdP configuration to be affected.
The vulnerability has very high CVSS scores due to the potential for unauthenticated remote code execution risk and an attacker could exploit this vulnerability to bypass authentication and execute arbitrary code. This vulnerability has been exploited in the wild. Citrix announced that they are aware of a small number of targeted attacks in the wild using this vulnerability.
CISA published a guide for detection and mitigation guide for the vulnerability because it has seen that APT5 and UNC2630 threat groups use this vulnerability in the wild.
APT5 is a threat group has been tracked since 2014 by Mandiant and supported by Chinese government. The actor mostly focused on highly sensitive data theft from aerospace and defense organizations in US, Europe and Asia.
A threat actor advertises data of a Turkish gold mining company called Anagold in breached.co. breached.co is a forum created as an alternative to raidforums.com.
Anagold is a mining company which is a partner of Canadian SSR Mining company and has gold mines in Turkey. In the past months, there have been allegations of cyanide leaks in Turkey regarding the mining company.
According to the threat actor’s post, they are now sharing only 8GBs of data for now and more will be shared later. This data is also including some survey maps of gold reserves.
The company has not yet made a statement about the allegations.
In recent years, it is very common to share PoC exploits for known vulnerabilities. It is very common to easily find several PoCs for vulnerabilitirs in GitHub. A researcher team from Leiden Institute of Advanced Computer Science announced that they discovered thousands of repositories on GitHub that offer fake PoC exploits for multiple vulnerabilities.
The discovery is including vulnerabilities discovered between 2017 and 2021. For these vulnerabilities, the team analyzed 47313 repositories and discovered that 4893 of them were malicious repositories. These repositories were used by threat actors to spread malware. The researchers analyzed a total of 358277 IP addresses, 150734 of them were unique IPs and 2864 were blacklisted.
A given example for fake PoC is for the CVE-2019-0708 vulnerability. “This repository was created by a user under the name Elkhazrajy. The source code contains a base64 line that once decoded will be running. It contains another Python script with a link to Pastebin28 that will be saved as a VBScript, then run by the first exec command. After investigating the VBScript we discovered that it contains the Houdini malware” written in the document the team provided.
It seems like this fake PoCs will go on for both newly discovered and legacy vulnerabilities. Even if PoCs are not malicious, these PoCs are making exploitations accessible for public and also for less experienced attackers also. So, as soon as a vulnerability is discovered, it is very likely to be exploited until it is patched. Because of this situation, security teams need to prioritize and patch critical vulnerabilities faster. This also shows the importance of using a professional intelligence service for prioritizing vulnerabilities according to organization’s threat profile that detected by the intelligence service again.
CVE-2022-26809 is a vulnerability exists within the Remote Procedure Call Runtime component in Microsoft Windows. If an attacker successfully exploits the vulnerability, then she/he could run arbitrary code on the affected system.
To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service.
The vulnerable system can be exploited without any interaction from any user.
This is a really contains a high risk and should be patched immediately.
Vulnerable Technologies: Microsoft reports that the following products and versions are vulnerable:
Windows 7 32-bit SP 1 Windows 7 x64 SP 1 Windows 8.1 32-bit Windows 8.1 x64 Windows 10 32-bit Windows 10 x64 Windows 10 20H2 32-bit Windows 10 20H2 ARM64 Windows 10 20H2 x64 Windows 10 21H1 32-bit Windows 10 21H1 ARM64 Windows 10 21H1 x64 Windows 10 21H2 32-bit Windows 10 21H2 ARM64 Windows 10 21H2 x64 Windows 10 1607 32-bit Windows 10 1607 x64 Windows 10 1809 32-bit Windows 10 1809 ARM64 Windows 10 1809 x64 Windows 10 1909 32-bit Windows 10 1909 ARM64 Windows 10 1909 x64 Windows 11 ARM64 Windows 11 x64 Windows RT 8.1 Windows Server 2008 32-bit SP 2 Windows Server 2008 x64 SP 2 Windows Server 2008 R2 x64 SP 1 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server Version 20H2
Microsoft recommends blocking port 445 at the perimeter firewall as a technique to mitigate the possibility of internet-based exploitation.
Organizations need a continuous port/vulnerability scan to detect to see if any port is open momentarily to the outside. If a continuous scan is not possible because of sensitive systems, an Attack Surface Management system should be used for instant detection.
As we red the details in TheRecord.media, an attacker has abused a vulnerability in a cryptocurrency platform and stole crypto-assets worth $322.8 million at the time of stealing. The news is very detailed in the blog so does not want to mention the details here again.
But, the interesting thing is that the cryptocurrency platform – Wormhole – is now offering a proposal to the hacker including $10 million reward and to take the white hat side. Also it may mean that they won’t file any criminal complaint against the attacker.
This is an interesting situation for many reasons. Firstly, does that unilateral contract mean that the attacker can no longer be blamed, as the TheRecord.media mentioned in their post? The cyber attacks should be treated as a public offense and even if the attacker agrees on the proposal, simply it does not mean that they will never do it again to another organization. The cyber world is just like the real world, at least it should be. Even if you forgive a thief who stole your property, the same is true for cyber crime, just as this criminal is punished. This incident should be treated as a public crime.
If we look at the situation from the side of the attacker, it is not easy living without a trace, especially as long as she continues her similar actions. Considering the possibility that he stole a large amount of money and that she will now retire, with a good plan both during and after the attack, it is meaningless to accept the proposal of the victim. Even if she accepts, as we mentioned above, it does not mean that she will not be punished because of this crime. Putting aside the huge amount of money she stole, accepting the $10 million and with very likely facing a punishment.
Whichever way you look at it, this offer doesn’t make any sense. But still worth a try. We eagerly await the attacker’s response to this offer. We are also curious about your comments on this subject.
Modules are typically work in Powershell directly. “Get-Module” command can be used to see imported modules.
“Get-Module -ListAvailable” command show the modules available.
For the additional modules we want to use, we should import them first. Once we import the module, we can use its all commands anymore. We will add PowerSploit as example. PowerSploit project is a project no longer supported but sometimes we may want to use its capabilities. For importing, we firstly download the package from here. After downloading the module, we need to copy it to one of the module folders in PC. There are different module locations and we can see them with “$Env:PSModulePath” command.
We create a folder called PowerSploit and copy all files here from the downloaded package.
“Import-Module PowerSploit” command will install the module and all its commands will be available for us to use.
“Get-Command -Module PowerSploit” command can list all commands of this module.
“Get-Help <command>” command will show you the usage of the commands.
An effective threat hunting is critical because it is hard to think like attackers and to search for the unknown in an enterprise network. This post may help organizations for an effective and successful threat hunting.
Knowledge of Topology and Environment
The purpose of threat hunting is to find the anomalies and their sources in the network and endpoint. So, a threat hunter should know what is normal and so can understand what is not normal.
From the risk management point of view, critical assets – servers, applications, data – should be known to protect more effectively. With the knowledge of the environment, the threat hunter knows the critical assets and hunts according to this. If there is segmentation in network, it is also critical to know the network topology and networks – or vlans – of these critical assets.
It is also necessary to know which application is running on which operating system, so the threat hunter can know the weaknesses of the system and can search according to these weaknesses.
Effective Endpoint Management
For threat hunting, the most used tools are EDRs. Organizations should be sure that they installed endpoint security tools to all endpoints and detect when they removed or stopped. Asset management is something more than CMDB. It must be managed by security teams whose understanding the criticality of the lack of endpoint security tool in an endpoint.
Threat intelligence is one of the most important feeds of threat hunting. Threat hunters need to have most recent intelligence and IoCs so they cant perform hunting the latest threats. Many malicious are produced and detected every day. This situation causes a lot of noises about intel. To avoid this noise, hunters should get valuable intelligence about their organization’s sector and geolocation, and integrate these IoCs with SIEM, EDR, etc..
We all know that new tactics and techniques are created by attackers in general. The most important reason for this is while security professionals in organizations have to deal with so many different things, attackers can only focus on their target. Even if it so important to have valuable/experienced personnel, if they are dealing with different organizational missions while they are working, it will be difficult for them to think like an hacker and detect the unknown in the network. Threat hunters should focus to their mission to create their methodology and hunt. So, there should be dedicated personnels for threat hunting.
Coordination Across the Organization
Yes, threat hunters work in a strange mission, think like a hacker and search across the network but they must not work alone. A threat hunter should have a good relationships with key personnel in IT departments like network and system admins, help desk personnel and so on. With these relationships, they better understand the network, systems and more importantly the company’s and personnels’ way of doing business. For organization’s perspective, when a threat hunter finds a weaknesses during the hunting process, they inform critical IT personnel for remediation. This team working will result as a success in remediation phase of the incidents or weaknesses.
Intelligence is critical for hunting for the known threats but hunters should be familiar with the TTPs of the attackers against the zero day threats. Threat hunters also should be aware of the updated or newly TTPs. Only with this knowledge hunters can act like an attacker. TTPs are at the top of Pyramid of Pain (defined by David Bianco).
To disclose the anomaly or malicious activity, threat hunters should use advanced tools like EDR, NDR, SIEM, FIM, etc.. These tools will help hunter to find abnormal activities if configured properly. In different posts, we tried to explain why they should be used.
VMware Carbon Black has published an update to resolve critical authentication bypass vulnerability on Carbon Black App Control product. App Control is a solution to lock down critical systems and servers to prevent unwanted changes and ensure continuous compliance with regulatory mandates.
This authentication bypass vulnerability was followed by CVE-2021-21998. VMware Carbon Black App Control versions 8.6.x, 8.5.x, 8.1.x, and 8.0.x are affected by this vulnerability.
With this auth bypass vulnerability, threat actors who can access to the management server of the App Control application can bypass the authentication and get admin privilege. With this privilege, attackers can seize critical information on the system and can deactivate EPP and EDR features on the target systems.
VMware announced that the vulnerability has been solved with the 8.6.2 and 8.5.8 versions. It is critical to upgrade the system not to be affected from critical attacks.
Although Threat Hunting is nothing new, it is a very hot topic lately. Even if you have perimeter and endpoint security devices and SIEM for collecting and correlating logs from them, it is not a good way to wait for incidents coming. Without Threat Hunting, dwell time is increasing more than 150 days, and this is not acceptable anymore. While attackers are working proactively and developing new techniques day by day, security teams need to be more proactive too. Threat Hunting is the most proactive approach in an organization’s security structure and improves its security posture.
Dwell time is the dirty metric nobody wants to talk about in cyber security. It signifies the amount of time threat actors go undetected in an environment, and the industry stats about it are staggering. Source: Extrahop
In its simplest definition, Threat Hunting is detecting abnormal activities on endpoints and network. But, what to look for hunting threats?
What to Hunt?
Threat Hunting is a continuous process. Hunters should check anything that could be an evidence of an incident.
Processes: Processes are important components of OSs. Adversaries may inject malicious code into hijacked processes. Therefore, hunters should check processes and child processes regularly.
Binaries: Hunters should check binaries with their checksum, name and other specifications.
Network: Network activities to specific destinations and anomalies in network should be checked.
Registery: Hunters should check registery key additions and modifications.
For a continuous hunting, organizations need to have threat hunters in their CSIRT. The difference between analysts and threat hunters is the proactive approach as mentioned before. Also in smaller organizations, SOC analysts may work on threat hunting but actually, a threat hunter may has more specifications than an analyst. In larger organizations, it is important to have a dedicated threat hunting leader and team. This team should has detailed knowledge about;
OSs: The Threat Hunting team should have knowledge about OSs that organization is using. This knowledge must include process structures, files, permissions, and registery depending on the OS. This is important because malicious files and attackers make changes in OS here. A threat hunter need to understand what is normal and what is not. Something is not normal could be a sign of an intrusion. For having this knowledge, baselines could be created for all critical systems. These baselines will help to know the normal and the anomalies.
Apps: Threat Hunters should have knowledge about the applications used in the organization. It is also important to know perimeter and endpoint security devices and applications used by organization.
Business: Threat Hunting team should have knowledge about the organization’s business so they need to follow adversaries working on the organization’s sector and geographical location. It is also important to know third party companies the organization works and communication ways with them.
Network: In a big and segmented network structure, it is important to know where the critical assets are.
TTPs: IoCs are important components for hunting but they provide to detect “known knowns”. TTPs are at the top of Pyramid of Pain (defined by David Bianco) and especially adversaries’ techniques and tactics should be known those are threatening the organization’s sector and location.
Threat Hunting Tools: In CSIRT plan, it needs to be included that which tools and techniques can be used for threat hunting. Threat hunters should have knowledge of these tools and techniques.
IR&H Plan: Threat hunting is only a step of proactive approach. If threat hunters successfully find an intrusion or anomaly in systems, they need to know the next step. Who should they inform? What should be done?..etc..
Threat Intelligence: Threat intelligence is one of the most important feeds of threat hunting. Threat hunters need to have most recent intelligence and IoCs so they cant perform hunting the latest threats.
EDR: Threat hunters need IoCs but also need to know how to use these IoCs. After gathering the most recent IoCs from TI platforms, an IoC sweep must be made on endpoints.
NDR: Just like endpoints, network traffic also need to be checked with the latest IoCs. For doing this, CSIRT need to collect all east-west and south-north network traffic. NDR devices those have AI capabilities also detect anomalies in the network.
SIEM: Depending on the hunt’s scope, the threat hunter may need to check IPS/IDS, proxy, DNS, firewall or some other tools’ logs. Because logs are coming from different sources, CSIRT need to collect and correlate these logs in SIEM and feeding SIEM with the latest IoCs, these logs will more meaningful.
FIM: We said that baselines must be created for critical systems. FIM solutions will help CSIRT to create baselines for OSs and alert analysts when an unauthorized transaction is made.