Folks -- keep in mind that most threat intel reporting containing domains is NOT designed for blocking. I have received enough questions about the recent OSINT reporting on Ivanti that it's worth a comment. Mandiant reports -- while great and in-depth -- include established companies and dynamic DNS services. Domains on the CyberReason list include things that aren't even domains but somehow have been elevated in VirusTotal and elsewhere to DNS status, e.g. request.data. It takes a lot of work to validate domains to protect networks while ensuring their performance. I don't recommend grabbing every ioc list and shoving it into your DNS or any firewall, regardless of the reputation of the source. These companies are offering IR data not blocking ioc lists. #dns#threatintel#malware#ivanti#infoblox#cybersecurity
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #06/2024 is out! It includes the following and much more:
➝ 🔓 #Juniper Support Portal Exposed Customer Device Info
➝ 🔓 🇹🇭 Major #DataBreach in #Thailand Exposes Personal Data of 20 Million Elderly Citizens
➝ 🔓 🇫🇷 Millions at risk of fraud after massive health data hack in #France
➝ 🔓 🇺🇸 #Verizon employee inadvertently leaks data of 63 thousand colleagues
➝ 🔓 🖥️ #AnyDesk Hacked: Revokes Passwords, Certificates in Response
➝ 🔓 🇺🇸 #Clorox says #cyberattack caused $49 million in expenses
➝ 💸 📈 #Ransomware Payments Exceed $1 Billion in 2023, Hitting Record High After 2022 Decline
➝ 🇺🇸 💰 US offers $10 million for tips on #Hive ransomware leadership
➝ 🇨🇳 🇺🇸 #China-backed Volt Typhoon hackers have lurked inside US #criticalinfrastructure for ‘at least five years’
➝ 🇨🇳 🇳🇱 Chinese Hackers Exploited #FortiGate Flaw to Breach Dutch #Military Network
➝ 🇮🇷 🇮🇱 #Iran accelerates cyber ops against #Israel from chaotic start
➝ 🇧🇾 🇺🇸 Belarusian National Linked to BTC-e Faces 25 Years for $4 Billion #Crypto Money Laundering
➝ 🇭🇰 💸 #Finance worker pays out $25 million after video call with #deepfake ‘chief financial officer’
➝ 🇺🇦 #ukraine is Creating a ‘Cyber Diplomat’ Post
➝ 🇩🇰 #Denmark orders schools to stop sending student data to #Google
➝ 🇪🇺 ⚖️ #EU proposes criminalizing AI-generated child sexual abuse and deepfakes
➝ 🇳🇱 💰 #Uber Fined 10 Million Euros by Dutch Data Regulator
➝ 🇺🇸 🛂 US to Roll Out Visa Restrictions on People Who Misuse #Spyware to Target Journalists, Activists
➝ 🦠 💬 Raspberry Robin #Malware Upgrades with #Discord Spread and New Exploits
➝ 🦠 🍎 New #macOS Backdoor Linked to Prominent Ransomware Groups
🦠 🪥 Surprising 3 Million Hacked #Toothbrushes Story Goes Viral—Is It True?
➝ 🇨🇦 🐬 #Canada declares #FlipperZero public enemy No. 1 in car-theft crackdown
➝ 🩹 #Ivanti: Patch new Connect Secure auth bypass bug immediately
➝ 🐛 📍 Security flaw in a popular smart helmet allowed silent location tracking
➝ 🩹 Critical Patches Released for New Flaws in #Cisco, #Fortinet, #VMware Products
➝ 🐛 🐧 Critical Boot Loader #Vulnerability in Shim Impacts Nearly All #Linux Distros
➝ 🐛 ✈️ #Airbus App Vulnerability Introduced Aircraft Safety Risk
➝ 🩹 #QNAP Patches High-Severity Bugs in QTS, Qsync Central
--
📚 This week's recommended reading is: "x86 Software Reverse-Engineering, Cracking, and Counter-Measure" by Stephanie Domas & Christopher Domas
--
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
Falls wer welche druckt; ich beteilige mich gerne finanziell, damit endlich die Software, die uns als sicher und allheilige Securitymaßnahme verkauft wird, mithilfe der Aufkleber wirklich wieder sicher ist.
The #Ivanti case of old software put together with some glue code is what we often see, because we try to unpack commercial software and RE. When we looked at the last (well-known) EDR we immediately got a call from the 90ies, they wanted their vulnerabilities back. But this happens everywhere. My favorit is still that online banking system we found critical vulns and reported and got fixed… except for no other bank we found on Shodan.
The new Ivanti CVE-2024-22024 is already exploited since today 10am CET. Check your Ivanti Pulse outgoing connections in your dns, firewall, proxy etc logs.
So, we've been talking about giving sh!t to #Ivanti recently (and rightfully).. Can we talk about #jetbrains? Like every other week they release security patches....
Ivanti is warning of two vulnerabilities in Connect Secure, Policy Secure and ZTA gateways, with one under active exploitation. The first flaw is tracked as CVE-2024-21893, and can allow an attacker to bypass authentication and access restricted resources. The second flaw is tracked as CVE-2024-21888, and can allow an attacker to escalate privileges to an administrator. Administrators are advised to patch ASAP.
Volexity recently disclosed details related to exploitation of Ivanti Connect Secure VPN, revealing how the attacker chained two zero-day vulnerabilities to achieve remote code execution. When investigating the source of compromise, Volexity employed memory forensics, analyzing a memory sample collected from a suspected compromised VPN device, which allowed Volexity to zero in on the source of the compromise. "The lesson for analysts is to independently verify the integrity and trustworthiness of high-value targets using memory forensics, rather than only relying on tools that run on a potentially compromised device."
🔗 https://www.volexity.com/blog/2024/02/01/how-memory-forensics-revealed-exploitation-of-ivanti-connect-secure-vpn-zero-day-vulnerabilities/
oh ... :blobfacepalm: :blobcatfacepalm: 🤦♂️ "#facepalmfriday"
⬇️
"yes you read it right - trying to reproduce this weeks Ivanti CVEs has led us into further 0days on a fully patched Ivanti SSLVPN device
⬇️
"We have received criticism for our decision to tweet about the existence of a vulnerability - citing claims of 'unactionability'. Our view is very simple - given we could find these 0days so trivially and the clear APT attention that Ivanti appliances have received, we felt it is not unreasonable to expect another APT to find said vulnerability in the near-future and start using it to once again compromise organisations. We maintain this view."
⬇️
"At this point we had to pause… did a basic XXE payload - that we could copy off an OSCP course - actually work?
Quickly we confirmed that this wasn’t present in older versions but had been introduced into the latest version of Ivanti Connect-Secure. Yes, you’re reading it right, they’ve messed up once again with their remediation and introduced an even higher impact bug."
👇
"Ivanti Connect Secure CVE-2024-22024 - Are We Now Part Of Ivanti?"
👇 https://labs.watchtowr.com/are-we-now-part-of-ivanti/