Flair Data Systems Cybersecurity News Update 4-24-2024

Good morning! 

In a previous chapter of my career, I had the privilege of learning from a mentor whose wisdom I still carry with me today. Whenever tensions flared and disagreements escalated, he would humorously threaten to "send us camping," implying that we wouldn't return until we resolved our differences. While this directive was never enforced, there were moments when I truly believed some individuals might benefit from such an experience. 

In the realm of active incident response, this concept applies. It underscores the necessity for individuals to set aside personal differences and collaborate towards a common resolution. Much like the hypothetical camping trip, it demands that we overcome individual barriers to address the overarching issue at hand. 

Advice on how to structure tabletop exercises 

1. Make it a safe place when performing the exercise 
2. Not knowing is OK but giving wrong information is NOT OK 
3. Research what you don't know after the fact, don't assume you have the ability but validate it 
4. Determine if existing toolsets are capable before purchasing a new tool to compensate 
5. Finally, teams need to understand the term "privileged" and know why it is needed (along with who can provide this) 

Tabletop exercises present invaluable opportunities for teams to hone this collaborative spirit. They allow participants to navigate through simulated scenarios, fostering cohesion and mutual understanding while sidestepping the pitfalls of blame and discord. My earnest advice is to leverage these exercises not merely as platforms for showcasing individual prowess, but rather as occasions for fostering team synergy and camaraderie. For those wanting to explore the topic more, I recommend delving into Christian Espinosa's insightful book on the matter. 

With that, let’s jump into this week's cyber update.... 



Cisco ASA / FTD Vulnerabilities being Exploited in the Wild 

It is recommended to patch, but make sure you validate that your version is on an affected version and any type of reliance on other components (such as FMC)  

• CVE-2024-20353 (denial of service) 
• CVE-2024-20359 (persistent local code execution) 
• CVE-2024-20358 (command injection vulnerability) 
• Cisco has warned that state-backed hacking group (STORM-1849 / UAT4356) has been infiltrating vulnerable Cisco ASA/FTDs through a campaign tracked as ArcaneDoor 
• This has been going on as early as November of 2023, but Cisco became aware of this in early January 2024 
• The initial attack vector has not been identified, but Cisco has discovered and fixed the above security flaws 

Link (1): https://www.bleepingcomputer.com/news/security/arcanedoor-hackers-exploit-cisco-zero-days-to-breach-govt-networks/ 

Recent Vulnerabilities released have Proof of Concepts released 

Both Delinea and Ivanti vulnerabilities have had Proof of Concepts released to the public, which means now threat actors can create working attacks towards these applications 

• Delinea Secret Server Authn Authz Bypass: Link (1): https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3 
• Ivanti Avalanche PoC/Details: https://www.tenable.com/security/research/tra-2024-10 
• Palo Alto GlobalProtect:  https://therecord.media/palo-alto-networks-fixes-vpn-zero-day 
• Palo Alto GlobalProtect has been actively exploited in the wild (CVE-2024-3400) since at least March 26, 2024 
• Patches have been released for all three of the listed vulnerabilities, take the time to review, test, and apply the patches as soon as possible 

Advanced Phishing Campaign  

Lookout has been found a new campaign mimicking the FCC Okta login page 

• The attack appears to be targeting FCC, Binance, and Coinbase in an effort to grab credentials, which is mimicking Scattered Spider tactics 
• Victims have reported to have received both phone calls (spoofed real customer support numbers) and text messages to encourage victims to complete the process 
• The concern is that these types of attacks, if successful, open the door for expanding this out to other types of campaigns 
• The link above contains a list of IoC's to be aware of 

Link (1): https://www.lookout.com/threat-intelligence/article/cryptochameleon-fcc-phishing-kit 

LabHost take down 

LabHost is a Phishing-as-a-Service platform that was recently shutdown through a global operation from law enforcement agents spanning 19 different countries 

• LabHost was previously available on the open web, not the dark web - meaning anyone was able to access it 
• 40,000 phishing domains associated with them with over 10k users worldwide 
• Austrian authorities took down 207 servers hosting phishing sites and arrested 5 in country that had relationships to the operation 
• U.K. has arrested 4 individuals associated to the operation, one of which is the alleged original developer 

Link (1): https://therecord.media/phishing-platform-labhost-shutdown-europol 

MITRE’s breached was through Ivanti zero-day vulnerabilities 

MITRE has confirmed that a state-backed hacking group has compromised the network back in January 2024 by chaining together two Ivanti VPN zero-days 

• The threat actors accessed their NERVE (Networked Experimentation, Research, and Virtualization Environment), an unclassified collaboration network used for research and development 
• No evidence shows that the threat actors accessed the organizations core enterprise network or partner systems 
• The two zero-days were CVE-2023-46805 (auth bypass) and CVE-2024-21887 (command injection) 

Link (1): https://www.bleepingcomputer.com/news/security/mitre-says-state-hackers-breached-its-network-via-ivanti-zero-days/ 

CrushFTP vulnerabilities 

The CVE has the potential for a Remote Code Execution with a arbitrary read flaw that allows an attacker with low privileges to escape the servers virtual file system sandbox to access and download system files. 

• CVE-2024-4040: improper input validation vulnerability in the CrushFTP file transfer server version 11.1 
• The vendor has already released patches, but exploits have been released and being exploited 

Link (1): https://www.darkreading.com/cloud-security/patch-crushftp-zero-day-cloud-exploit-targets-us-orgs 

Evil XDR: Turning an XDR into an Offensive Tool  

A researcher at Black Hat Asia described how he not only reverse-engineered and cracked into Palo Altos Cortex product but also weaponized it to deploy a reverse shell and ransomware. 

• All but one of the weaknesses discovered have since been resolved by Palo Alto, where the one that was not due to the fact that the risk was minimum (encryption of the Lua files) 
• The researcher was able to not only make the management console think the agent was online, it was offline and it provided the research the ability to gain remote access to the endpoint, along with deploying ransomware to the system without Cortex knowing or stopping it from happening 
• The how is very interesting, and worth a read in the article 
• Secondly, this opens the idea around how much privilege is given to XDR type tools to be able to perform their given ability to stop threats 
• One final note, this should not be something to scare people away from using EDR/XDR platforms but to fully understand and trust their provider that they are doing proper controls and testing to reduce these types of situations from occurring 

Link (1): https://www.darkreading.com/application-security/evil-xdr-researcher-turns-palo-alto-software-into-perfect-malware 

Until next week, it’s Brent Forrest signing off. Be cyber safe my friends!