Good morning folks! I had a great time leading a Threat Hunting Workshop at my alma mater, RIT, and meeting some awesome customers, but in my travels I gathered some updates on the threat & vuln side of things that we all should be aware of. And before we get started, I meant to spell “Weak” that way – so let’s get started!:
Infrastructure woes – YOU get a CVE, YOU get a CVE…
Adversaries of all types have started to focus on infrastructure devices quite a bit of late. In this case, I am referring to routers, switches, and even security tools like firewalls and VPN head-ends. Is this new? Not really, but the pace certainly seems to be picking up. Here are some reasons why:
- They see less frequent changes and code updates as compared to endpoints.
- Most organizations rely on those infrastructure devices to provide some security coverage for large numbers of endpoints or hosts (shared fate).
- Most of those same organizations to not adequately monitor the administration and activity on those same devices.
If you are the adversary, investing in their compromise pays off longer term! Let’s recap:
Cisco VPN vulns
Recent (September 2023 vulns) in ASA or FTD hosted VPN have been seen exploited in the wild by threat actors like Akira as recently as December 2023. Keep in mind, patches and workarounds were available in September.
- Want to read more? Here is the CVE for this issue.
- Want to get nerdy? Cisco offers hot-fixes, config tips, and IOCs for detection.
Juniper JunOS management interfaces
Juniper devices across the lineup where implicated in a new Remote Code Execution (RCE) bug that was identified in the j-web component of JunOS software that runs on their switches, routers, and security appliances. This latest is fresh, but comes hot on the heels of a similar RCE-related CVE dealt with in August.
- Want to read more? Here is the CVE for the latest JunOS vuln.
- Want to get nerdy? Good luck – Juniper’s own disclosure is very succinct and not nearly as helpful.
Ivanti VPN issues aplenty
The tortured journey of Pulse Secure VPN continues. Now known as Ivanti Connect Secure VPN, several recent breaches have shown that victims’ devices were accessed via exposed management portals and logging had been both wiped and disabled. Adversaries have been chaining a Command Injection flaw with a Authorization Bypass vulnerability to build their composite RCE technique. What made this even nastier was that they leveraged this RCE to compromise the VPN head-end and harvest files, log credentials, and cause all sorts of pain.
- Need a primer? Veloxity put together a pretty good explainer.
- Want to read more? Here is the CVE for the Auth Bypass, and here is the CVE for the Command Injection flaw.
- Want to get nerdy? Mandiant’s own in-depth report is chock-full of awesome insight as to how this has been used.
What can we learn here?
Some of these are old news, but that inertia of infrastructure means it will be a LONG time before the patches are applied or workarounds are implemented (as with the Cisco CVE). Some issues are made worse by poor practices – DO NOT EXPOSE MANAGEMENT to the outside, folks (Juniper and Ivanti). And in all cases, hygiene is important but so is off-box logging. We should not keep vital forensic evidence at the scene but continually pull it to a safe place.
This week in AI:
Really insightful article about the many aspects of AI in security we will all encounter in 2024 by Sandy Dunn! (And thank you to Mark Hinkle for pointing to this article in his newsletter). In the piece, she highlights that there is no going back, and at this point the greater risk may be in slowing down your own efforts while your competition (nation state, economic, or even your job competition) passes you by. She also highlights some places where there are resources that can help, like the OWASP Top 10 for LLMs, NVidia’s own Red Team Guidance for AI, and a ton more!
Things I am keeping an eye on myself
- Taiwan just completed another election, and seem to have managed to rankle their neighbors yet again. A certain interested party sure did try to make things go their way!
- Aaron Fulkerson wrote a slick piece to help focus in on the data breach risks and how they are altered or affected by AI. It’s great perspective that shows the impact using Verizon’s DBIR and other industry data points.
- Forescout did a good job of showing how recent OT attacks in Denmark and the Ukraine compare to past campaigns. Interesting and insightful!
- In the “this is why we can’t have nice things” category: the myriad of healthcare breaches mean we get some new regulations!
- Volt Typhoon, a Chinese threat actor, continues to beat up on SOHO-class Cisco, Netgear, Axis and other manufacturers’ equipment with nasty firmware.
Good reads!
- I am reading an amazing book called “Gengis Khan and the Making of the Modern World“, and I cannot put it down. That man was well ahead of his time, and completely miscast as a barbarian. I am even thinking of how to better incorporate his innovation in my own work. Seriously! Minus the archery from horseback bit 😉
- I am a huge fan of Burp Suite, and the PortSwigger Web Security Academy is fantastic. But as I refresh my own chops, I am augmenting that wonderful resource with another here. Great, succinct, and a good sense of humor that gets you up and running with real-world applications of Burp in no time!
Please reach out if you want to talk shop or have any questions – I learn a ton from what you folks are seeing!