by jdpoteet | Jun 7, 2024 | Videos/Podcasts
This cybersecurity podcast delves into the key strategies and best practices for developing and enhancing a blue team cybersecurity framework. Dr. Mike Saylor, CEO Blackswan Cybersecurity, offers his insights on how organizations can efficiently prepare for and respond to cyber incidents. He discusses the importance of forming relationships with law enforcement, conducting tabletop exercises, and understanding cyber insurance policies. Mike’s expertise provides valuable guidance for companies aiming to bolster their cybersecurity defenses.
The discussion highlights the necessity of prioritizing detection and response capabilities, rather than solely focusing on prevention. Dr. Saylor emphasizes how a well-prepared blue team can significantly impact the outcome when facing a cyber threat. He also shares real-world examples that demonstrate critical lessons and takeaways for organizations striving to improve their cybersecurity measures. Listen to the recording to discover how a comprehensive blue team strategy can better protect your company from cyber threats.
by jdpoteet | Jun 3, 2024 | Threat Advisories
Linux Privilege Escalation Exploit Vulnerability
DOWNLOAD PDF
Summary
CISA published a security vulnerability affecting the Linux kernel in its Known Exploited Vulnerabilities (KEV) catalog, with evidence of active exploitation. CVE-2024-1086 with a CVSS score of 7.8, involves a use-after-free bug in the Linux netfilter component, which allows a local attacker to escalate privileges from a regular user to root and potentially execute arbitrary code.
Technical Details
Netfilter is a framework within the Linux kernel that supports various networking operations, including packet filtering, packet mangling, and network address translation. The CVE-2024-1086 vulnerability is due to a flaw in the ‘nft_verdict_init()’ function “that permits positive values to be used as a drop error within the hook result, leading the ‘nf_hook_slow()’ function to execute a double free when NF_DROP is issued with a drop error that resembles NF_ACCEPT”. This allows a local attacker to escalate privileges to root and potentially execute arbitrary code.
The issue was addressed through a commit in January 2024, which rejects QUEUE/DROP verdict parameters to prevent exploitation. The fix has been backported to multiple stable kernel versions, including:
- v5.4.269 and later
- v5.10.210 and later
- v6.6.15 and later
- v4.19.307 and later
- v6.1.76 and later
- v5.15.149 and later
- v6.7.3 and later
In late March 2024, security researcher ‘Notselwyn’ published a detailed write-up and proof-of-concept (PoC) exploit on GitHub demonstrating local privilege escalation on Linux kernel versions between 5.14 and 6.6. “While most Linux distributions quickly released fixes, Red Hat delayed until March, potentially allowing threat actors to exploit the vulnerability on compromised systems”. CISA did not provide specific exploitation details, but BleepingComputer reported discussions about the public exploits on hacking forums. CISA mandated that federal agencies apply the available patches by June 20, 2024.
Recommendations
- Ensure systems are updated to kernel versions (v5.4.269 and later, v5.10.210 and later, v6.6.15 and later, v4.19.307 and later, v6.1.76 and later, v5.15.149 and later, v6.7.3 and later).
- Prioritize updating any Red Hat systems if not already patched.
- Blocklist the ‘nf_tables’ module if it is not required for system operations.
- Restrict access to user namespaces to limit potential attack vectors.
- Consider loading the Linux Kernel Runtime Guard (LKRG) module to add an extra layer of security, while being aware of possible stability issues.
- Regularly monitor systems for signs of exploitation and review security logs.
- Conduct periodic security audits to ensure all mitigations are correctly implemented and identify any unpatched systems.
References
by jdpoteet | May 30, 2024 | Threat Advisories
Okta CIC Credential Stuffing
DOWNLOAD PDF
Summary
Okta issued a warning regarding a vulnerability in the cross-origin authentication feature of its Customer Identity Cloud (CIC) that is susceptible to credential stuffing attacks; stating:
“Okta researchers have detected that the endpoints supporting this cross-origin authentication feature are being targeted by credential stuffing attacks affecting several of our customers.”
Technical Details
Suspicious activity began on April 15, 2024, with Okta proactively notifying customers who had the cross-origin authentication feature enabled. Okta did not disclose how many customers were affected by the attacks.
Credential stuffing is a cyberattack where threat actors use lists of usernames and passwords obtained from previous data breaches, phishing, or malware campaigns to attempt logins to online services.
This attack vector comes just a month after Okta reported a rise in the frequency and scale of credential stuffing attacks on online services, facilitated by the use of residential proxy services.
Recommendations
- Review Tenant Logs for unexpected login events, including failed cross-origin authentication (fcoa), successful cross-origin authentication (scoa), and breached password (pwd_leak) events.
- Rotate Credentials Regularly, changing passwords and credentials to reduce the risk of unauthorized access.
- Restrict or Disable Cross-Origin Authentication by limiting or turning off the cross-origin authentication feature for tenants.
- Enable Breached Password Detection by Activating breached password detection or use Credential Guard to identify and prevent the use of compromised passwords.
- Prohibit Weak Passwords by Enforcing policies that prevent users from choosing weak or easily guessable passwords.
- Adopt Passwordless Authentication by Enrolling users in passwordless, phishing-resistant authentication methods using new standards like passkeys.
References
by jdpoteet | May 29, 2024 | Videos/Podcasts
Join Dr. Mike Saylor, CEO of Blackswan Cybersecurity, as he shares his personal “war stories” from the frontlines of Incident Response and offers actionable insights on how organizations can effectively prepare for and manage cyber incidents. In this video, Dr. Saylor discusses the critical importance of building relationships with law enforcement, conducting tabletop exercises, and understanding the role of cyber insurance. His expert guidance is invaluable for companies looking to strengthen their cybersecurity defenses.
Cybersecurity Incident Response is a structured approach used by organizations to handle and mitigate the effects of security breaches or cyberattacks. Its primary goal is to minimize damage, reduce recovery time, and safeguard sensitive information.
Preparation is the foundation of an effective incident response plan. It involves creating detailed strategies, defining roles and responsibilities, setting up communication channels, and ensuring the necessary tools and technologies are in place. This also includes conducting regular training and simulations, such as tabletop exercises, to ensure all team members are ready to act in the event of a real incident.
Detection and analysis follow preparation, where organizations continuously monitor their systems for unusual or malicious activity. Advanced detection tools such as firewalls, intrusion detection systems (IDS), and Security Information and Event Management (SIEM) solutions are commonly used. Once a threat is identified, incident response teams work to understand its scope and impact.
In the containment phase, the goal is to isolate the threat to prevent it from spreading. This might involve taking compromised systems offline or applying network segmentation to quarantine affected areas.
Eradication involves removing the threat from the environment, such as deleting malware or closing vulnerabilities exploited during the attack.
Recovery is the process of restoring and validating system integrity, ensuring that the threat has been completely removed and the organization can safely resume normal operations.
Finally, the post-incident phase focuses on lessons learned. Teams conduct a thorough review of the incident to improve future responses, identify weaknesses in the security posture, and update protocols to prevent similar events.
