ntkramer

@ntkramer@infosec.exchange

Experienced InfoSec | Elder Millennial | 💼 Security Research https://infosec.exchange/@greynoise | I ask 'why?' a lot | Pro Oxford Comma | Fix it! | He/Him | #BLM | Views are my own.

This profile is from a federated server and may be incomplete. Browse more on the original instance.

ntkramer, to random

🍽️ & | The Cisco, F5, Ivanti, Juniper, JetBrains, and OwnCloud exploitation attempts have jumped so much in the last two days that they squashed the normal scale of the charts.

https://viz.greynoise.io/trends?view=trending

ntkramer, to random

CISA orders federal agencies to disconnect Ivanti VPN appliances by Saturday.

In response to the "substantial threat" and significant risk of security breaches posed by compromised Ivanti VPN appliances, CISA now mandates all federal agencies to "disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks," "as soon as possible" but no later than 11:59 PM on Friday, February 2.

https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-disconnect-ivanti-vpn-appliances-by-saturday/

>> Let's keep them offline, eh? <<

ntkramer, to random

We're hiring @greynoise Intelligence!

➡ The GreyNoise Customer Experience Specialist (CXS) is a part of the GreyNoise Customer Experience (CX) team, which provides our customers with an industry-leading experience. This is a customer-centric position focused on ensuring our customers' success with GreyNoise is all but guaranteed. The CXS will be a customer's primary contact and will facilitate all customer needs with the rest of the GreyNoise organization. The CXS will also be responsible for the retention of our customers and continued success using all GreyNoise services. ⬅

Interested? See more info and apply at the link below!

https://grnh.se/1d63f0975us

ntkramer, to random

We should start announcing KEV additions like award show nominees:

It is our displeasure to announce the latest addition to the coveted CISA KEV list - VMware! With this addition, VMware has secured its 19th spot on the list, and it's the first one for the year 2024. Let's not forget, VMware made its debut on the KEV list in November 2021 with a whopping 8 additions.

ntkramer, to random

🥪 & : We just pushed out this blog post with examples of Ivanti exploitation used for crypto mining. We've also included relevant IOCs and a link to a Gist containing naughty IPs.

https://www.greynoise.io/blog/ivanti-connect-secure-exploited-to-install-cryptominers

ntkramer, to random

How you doing @todb?

ntkramer,

@hdm @todb

ntkramer, to random

So the SEC “x” account didn’t have MFA.

CISA, hear me out. Let’s get a CVE for all apps that have un/pw auth only. Then put it on the KEV. Then many orgs must enable it.

ntkramer,

Neither did Mandiants.

hrbrmstr, to random
@hrbrmstr@mastodon.social avatar

WELP

THIS IS A BAD OMEN

Today was the first ever DUAL CISA KEV RELEASE DAY.

2024 is not going great, so far.

Y'all can blame @ntkramer for causing this revelation.

ntkramer,

@simontsui @hrbrmstr not loving this trend!!!

ntkramer, to random

“Currently, Ivanti blocks public access to an advisory containing full details on the CVE-2023-39366 bug, likely to provide customers with more time to secure their devices before threat actors can create exploits using the additional information.”

This thinking is insanity. It creates confusion for their customers. It makes it more difficult for security vendors to develop detections/protections more quickly. It introduces an opportunity for mis/disinformation on the vulnerability. Do not do this.

https://www.bleepingcomputer.com/news/security/ivanti-warns-critical-epm-bug-lets-hackers-hijack-enrolled-devices/

ntkramer,

I guess the advisory now has more protections than their EPM.

riskybusiness, to random

We're getting sick of sharing a platform with goosesteppers. Can anyone recommend a good alternative to Substack? We're drawing up a shortlist.

ntkramer,

@riskybusiness @hrbrmstr you just decoupled I believe?

ntkramer, to random

☕ & | We're observing an increase in IPs attempting to exploit CVE-2018-2628, a remote code execution vulnerability through Java deserialization in Oracle Weblogic Server. Not surprising given the % of organizations on holiday currently. I'd fully expect to see lots of focus on older, high-value vulns over the next few weeks.

https://viz.greynoise.io/tag/oracle-weblogic-rce-cve-2018-2628-rce-attempt?days=30

ntkramer, to random

I'm really surprised we haven't had a KEV in what feels like forever (tomorrow will be 10 days). (I stole this visual from @hrbrmstr, but we're entering rare territory...)

hrbrmstr, to random
@hrbrmstr@mastodon.social avatar

O_O

2024 is rly going to suck, isn't it?

ntkramer,

@hrbrmstr yes

ntkramer, to random

It's really crappy that ownCloud's advisories do not include the actual CVE number. For the record, they are as follows:

  • CVE-2023-49103
  • CVE-2023-49104
  • CVE-2023-49105
ntkramer, to random

Today's edition of what grabbed my threaty eye during morning coffee ()

We wrote about this yesterday but want to ensure it gets enough attention. If you are an ownCloud user, your secrets may have already been leaked via CVE-2023-49103.

👀 The top source and destination countries are Israel so far.

https://www.greynoise.io/blog/cve-2023-49103-owncloud-critical-vulnerability-quickly-exploited-in-the-wild
https://viz.greynoise.io/tag/owncloud-graph-api-information-disclosure?days=3

ntkramer,

@dangoodin
We're seeing hits to the specific endpoint that exposes sensitive information, which would be considered exploitation.

ntkramer,

@dangoodin
I totally understand. We're picky about our words around exploitation and shoot for 100% accuracy.

At the moment, we've seen 13 IPs that are hitting our unadvertised sensors, which indicates that they are pretty much spraying it across the internet to see what hits.

ntkramer, to random

Today's edition of what grabbed my threaty eye during morning coffee ():

Exploitation of a path traversal vulnerability (CVE-2021-26086) in Atlassian Jira Server and Data Center is back for yet another plate of leftovers!

https://viz.greynoise.io/tag/atlassian-jira-path-traversal-attempt?days=10

ntkramer, to random

Today's edition of what grabbed my threaty eye during morning coffee ()

Calling out the updated guidance on patching Citrix Bleed CVE-2023-4966, "After you upgrade, we recommend that you remove any active or persistent sessions."

ntkramer, to random

Today's edition of what grabbed my threaty eye during morning coffee ():

There has been a recent 10-fold increase in the number of IP addresses attempting to brute force Tomcat Manager login credentials by using a basic authentication header.

https://viz.greynoise.io/tag/tomcat-manager-brute-force-attempt?days=10

ntkramer,

@hrbrmstr
👀

SecureOwl, to random

A reminder that if for any reason Traffic Light Protocol stops working, you should fall back to Four Way Stop Protocol.

ntkramer,

@SecureOwl is this where no one knows when to share what so then they all share at the same time?

  • All
  • Subscribed
  • Moderated
  • Favorites
  • provamag3
  • InstantRegret
  • mdbf
  • ethstaker
  • magazineikmin
  • GTA5RPClips
  • rosin
  • thenastyranch
  • Youngstown
  • osvaldo12
  • slotface
  • khanakhh
  • kavyap
  • DreamBathrooms
  • JUstTest
  • Durango
  • everett
  • cisconetworking
  • Leos
  • normalnudes
  • cubers
  • modclub
  • ngwrru68w68
  • tacticalgear
  • megavids
  • anitta
  • tester
  • lostlight
  • All magazines
    •