Posts

PAM Automation Scripts: Don’t Forget to Secure Admin Credentials

Image
While IT executives understand the essential role privileged access management (PAM) solutions play in their organization’s overall security strategy, they’ve also continued to ask their PAM administrators to do more with less resources. To meet these additional asks, PAM admins have automated routine PAM tasks using scripts. PAM automation scripts can significantly lessen the burden on PAM admins and enable organizations to scale PAM usage across their entire enterprise. 1- Why Are PAM Automation Scripts So Powerful? A PAM admin’s daily responsibilities typically revolve around the lifecycles of privileged users in their organization and require high levels of privilege. For example, when a privileged user joins the organization, the PAM admin has to add them to the right safes and grant them the necessary permissions they need to perform their privileged tasks. If a user leaves an organization, all that access has to be revoked to ensure the organization remains secure. These process...

The logic behind three random words

Image
Whilst not a password panacea, using 'three random words' is still better than enforcing arbitrary complexity requirements. One of the most popular pages on the NCSC website, nearly 5 years after its first publication, is ' Three random words or #thinkrandom '. It explains how - by combining three random words - you can create a password that's 'random enough' to keep the bad guys out, but also 'easy enough' for you to remember. In this blog, we're going to: explain why the NCSC continue to promote 'three random word' strategy (both at home and at work) respond to some concerns raised by NCSC customers who may be considering this strategy The problems of complexity requirements We've covered, at length, how  enforcing complexity requirements  is a poor defence against guessing attacks. Our minds struggle to remember random character strings, so we use predictable patterns (such as replacing the letter ‘o’ with a zero) to meet the requ...

Critical RCE Flaw Discovered in Fortinet FortiGate Firewalls

Image
  Fortinet has released patches to address a critical security flaw in its FortiGate firewalls that could be abused by a threat actor to achieve remote code execution. The vulnerability, tracked as  CVE-2023-27997 , is "reachable pre-authentication, on every SSL VPN appliance," Lexfo Security researcher Charles Fol, who discovered and reported the flaw alongside Dany Bach,  said  in a tweet over the weekend. Details about the security flaw are currently withheld and Fortinet is yet to release an advisory, although the network security company is expected to publish more details in the coming days. French cybersecurity company Olympe Cyberdefense, in an independent alert,  said  the issue has been patched in versions 6.2.15, 6.4.13, 7.0.12, and 7.2.5. "The flaw would allow a hostile agent to interfere via the VPN, even if the MFA is activated," the firm noted. With Fortinet flaws  emerging  as a  lucrative   attack vector  for threat...

Identifying BOD 23-02 Network Management Interfaces with Splunk

Image
  What Is BOD 23-02 Meant To Achieve? CISA is prohibiting the remote management of federal information systems’ network devices defined as “routers, switches, firewalls, VPN concentrators, proxies, load balancers, and out of band server management interfaces (such as iLo and iDRAC)” over common management protocols (HTTPS, SSH, etc.) Agencies, within 14 days of discovery or CISA notification of the existence of one or more of these interfaces must do one of the following: Remove the internet accessibility of that device (e.g., take it offline) Protect the device through technical means (e.g., implement Zero Trust concepts such as enforcing access control through a point outside of the interface itself) How Can Splunk Help? First, it’s important to recognize that Splunk is not a traditional Zero Trust policy enforcement point or tool for access control. That being said, Splunk Cloud or Splunk Enterprise does help identify misconfigurations such as these unprotected i...

Alert! Hackers Exploiting Critical Vulnerability in VMware's Aria Operations Networks

Image
VMware has flagged that a recently patched critical command injection vulnerability in Aria Operations for Networks (formerly vRealize Network Insight) has come under active exploitation in the wild. The flaw, tracked as  CVE-2023-20887 , could allow a malicious actor with network access to the product to perform a command injection attack, resulting in remote code execution. It impacts VMware Aria Operations Networks versions 6.x, with fixes released in versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10 on June 7, 2023. Now according to an update shared by the virtualization services provider on June 20, the flaw has been weaponized in real-world attacks, although the exact specifics are unknown as yet. "VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild," the company noted. Data gathered by threat intelligence firm GreyNoise shows active exploitation of the flaw from two different IP addresses located in the Netherl...

Splunk - Hunting for threats in DNS

Image
Understanding DNS exfiltration When we talk about DNS exfiltration, we are talking about an attacker using the DNS protocol to tunnel (exfiltrate) data from the target to their own host. You could hypothesize that the adversary might use DNS to either: Move sensitive files out of your organisation. Use it as a side channel for communications with malicious infrastructure.  With the right visualizations and search techniques, you may be able to spot clients behaving abnormally when compared either to themselves or their peers!  Hunting for threats in DNS In the section below, there are showed some ways to detect weirdness with DNS based on the techniques highlighted above. NOTE: Adjust the sourcetypes/tags/eventtypes to suit your environment. Top 10 Clients by Volume of Requests Capturing spikes or changes in client volumes may show early signs of data exfiltration. tag=dns message_type="Query"  | timechart span=1h limit=10 usenull=f useother=f count AS Requ...

Critical SQL injection flaw fixed in Rapid7’s Nexpose vulnerability scanner

Image
  Rapid7 has patched a critical  SQL injection  vulnerability in Nexpose, its on-premises vulnerability management software. The flaw, which has a CVSS rating of 9.8, arose because valid search operators were not defined, according to the  CVE description  for the bug, which is tracked as CVE-2022-0757. Consequently, attackers can inject SQL code after manipulating the ‘ALL’ or ‘ANY’ filter query operators in the SearchCriteria. This issue affects all versions of Nexpose – alternately known as Security Console – up to and including 6.6.128. XSS in the mix Rapid7, a Massachusetts-based cybersecurity firm, addressed the issue in Nexpose version  6.6.129 , released March 2. The latest version also includes support for TLS 1.3 services, an added vulnerability check for Log4j, and additional Metasploit-based vulnerability coverage. The Nexpose  vulnerability scanner  also contained a medium severity  cross-site scripting  (XSS) flaw. Residing...