Sarina

About Sarina Gandy

This author has not yet filled in any details.
So far Sarina Gandy has created 116 blog entries.

Celebrating 10 Years at WiCyS with Beth Hawthorne

Listen

Celebrating 10 Years at WiCyS with Beth Hawthorne

In this special episode recorded live at the 2024 WiCyS conference, Tashya Denose and Pam Lindemoen sit down with Beth Hawthorne, a seasoned professor and cybersecurity program director at Rider University. Beth stands out as a key figure in the cybersecurity community, having attended all ten years of the WiCyS conference and significantly shaping its inclusive and welcoming atmosphere. Her influence is particularly felt through her participation in the annual first-year panel, where she helps conference newcomers feel at home. In tjis episode, Beth shares her extensive academic journey and her unwavering commitment to diversifying the field of cybersecurity. From being one of the few women in tech at the start of her career to mentoring the next generation of cyber professionals, Beth’s story is a beacon of inspiration for anyone looking to make their mark in cybersecurity.

Find us on social media – @DoWeBelongPod

2024-07-17T11:26:13-04:00June 28, 2024|
Read More

Andrea Frost on Finding Her Place: A Journey from Ski Slopes to Cyber

Listen

Andrea Frost on Finding Her Place: A Journey from Ski Slopes to Cyber

Andrea Frost is a Senior Software Security Engineer at Dell Technologies and has been working in the cyber industry for the past 10 years. In this in-person episode recorded at the 2024 WiCyS Conference, Andrea sat down with Tashya Denose and Pam Lindemoen to talk about her journey from working on the ski slopes in the winters and volunteering as a fireman in the summers to becoming a leading woman in cybersecurity. She tells the story of how attending her first WiCyS conference 9 years ago changed the entire trajectory of her life and career, and touches on the lifecycle of the WiCyS conference and the impact it is making on the women of this industry. Finally, she deep dives into the inception of the WiCyS Career Growth Hub and its role in supporting industry newcomers.

Find Andrea on LinkedIn: https://www.linkedin.com/in/jovianna-gonzalez/

Watch the podcast on YouTube: youtube.com/@cybersecurityfl

Find us on social media – @DoWeBelongPod

Learn more about Cyber Florida – cyberflorida.org

2024-06-27T11:31:26-04:00June 12, 2024|
Read More

Jovianna Gonzalez on Turning Challenges Into Opportunities

Listen

Jovianna Gonzalez on Turning Challenges Into Opportunities

Jovianna Gonzalez is the CEO and founder of Digital Forensics, the first Hispanic-owned women’s digital forensics and cybersecurity company in the US. In this episode, Tashya Denose and Pam Lindemoen talk to Jovianna about her journey from aspiring attorney to digital forensics expert, highlighting the importance of being open to new opportunities and having an investigative mindset. She emphasizes the significance of allies and mentors in her career and the need for ethical practices in the field of digital forensics. Jovianna also discusses the importance of mental health and work-life balance, sharing strategies she implements within her own team to ensure that each of her employees is set up for success.

Find Jovianna on LinkedIn: https://www.linkedin.com/in/jovianna-gonzalez/

Learn more about Digital Forensics Now: http://www.digitalforensicsnow.com/

Find us on social media – @DoWeBelongPod

Learn more about Cyber Florida – cyberflorida.org

Watch the podcast on YouTube: youtube.com/@cybersecurityfl

2024-06-27T11:20:06-04:00May 28, 2024|
Read More

Empowering the Next Generation: Bianca Lewis at Sunshine CyberCon

Listen

Empowering the Next Generation: Bianca Lewis at Sunshine CyberCon

Bianca Lewis, aka BiaSciLab, is quickly becoming a household name in the cybersecurity world, and for good reason. At just 17 years old, Bia is not only a prodigious hacker but also a five-time DEFCON speaker and the visionary CEO behind Girls Who Hacker organization. In this live session recorded at the 2024 Sunshine Cyber Conference, Pam Lindemoen and special guest host Dr. Candi Ring delve into Bia’s extraordinary journey through the cybersecurity over the past decade. Together, we explore the boundless potential of her generation in propelling the cybersecurity landscape into uncharted territories. Tune in as we uncover the driving force behind Bia’s rise and the invaluable lessons her story imparts about passion, purpose, and the transformative power of new perspectives.

Follow Bia: instagram.com/biascilab/

Learn more about Girls Who Hack: girlswhohack.com/

Find us on social media – @DoWeBelongPod

Learn more about Cyber Florida – cyberflorida.org

Watch the podcast on YouTube: youtube.com/@cybersecurityfl

2024-06-27T11:19:58-04:00May 1, 2024|
Read More

Teaching Digital Natives Webinar

Join our Operation K12 team to explore Teaching Digital Natives.

In this webinar, we’ll explore the dynamic realm of Teaching Digital Natives. Join us to delve into a comprehensive cybersecurity program designed to equip educators with effective strategies, compelling content, and inspiration for both summer camps and middle school courses.

2024-09-20T10:25:43-04:00April 29, 2024|
Read More

Volt Typhoon Attacks U.S. Critical Infrastructures Using LOTL Techniques

I. Targeted Entities

U.S. Critical Infrastructures

II. Introduction

CISA, NSA, and FBI have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental U.S. and its territories, including Guam.

Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions.

These actors could use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts. (Cybersecurity and Infrastructure Security Agency, 2024)

III. Additional Background Information

In December 2023, an operation disrupted a botnet comprising hundreds of U.S.-based small office/home office (SOHO) routers that were hijacked by state-sponsored hackers from the People’s Republic of China (PRC). The hackers, known to the private sector as “Volt Typhoon,” used privately-owned SOHO routers infected with the “KV Botnet” malware to conceal the PRC origin of further hacking activities directed against the U.S. and other foreign victims. These further hacking activities included a campaign targeting critical infrastructure organizations in the U.S. and elsewhere that was the subject of a May 2023 FBI, National Security Agency, and CISA advisory (Office of Public Affairs, 2024).

The KV Botnet primarily targets Cisco and Net Gear routers, exploiting a vulnerability due to their “end of service” status. This means they were no longer receiving security patches or software updates from the manufacturer. The operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet (Office of Public Affairs, 2024).

Volt Typhoon employs a multi-faceted approach to infiltrate and compromise target networks, starting with comprehensive pre-compromise reconnaissance to understand the network architecture and operational protocols. They exploit vulnerabilities in public-facing network appliances to gain initial access, then aim to escalate privileges within the network, often targeting administrator credentials. Utilizing valid credentials, they move laterally through the network, leveraging remote access services like Remote Desktop Protocol (RDP) to reach critical devices such as domain controllers (DC). Volt Typhoon conducts discovery within the network, utilizing stealthy tactics such as living-off-the-land (LOTL) binaries and PowerShell queries on event logs to extract critical information while minimizing detection. LOTL tools like ntdsutil, netsh, and systeminfo were used to gather information about the network service and system details. Also, Volt Typhoon implanted binary files such as SMSvcService.exe and Brightmetricagent.exe that can open reverse proxies between a compromised device and malicious C2 servers. The PowerShell script logins.ps1 was also observed collecting successful logon events on infected systems without being noticed. (Cybersecurity and Infrastructure Security Agency, 2024).

After achieving full domain compromise, Volt Typhoon extracts the Active Directory database (NTDS.dit) from the DC using techniques like the Volume Shadow Copy Service (VSS), bypassing file locking mechanisms. Additionally, Volt Typhoon uses offline password cracking methods to decipher hashed passwords, enabling elevated access within the network. With elevated credentials, Volt Typhoon focuses on strategic network infiltration, aiming to access Operational Technology (OT) assets, such as sensors and control systems. Volt Typhoon was observed testing access to OT systems using default vendor credentials and exploiting compromised credentials obtained through NTDS.dit theft. This access grants them the capability to potentially disrupt critical infrastructure systems such as HVAC and energy controls, indicating a significant threat to infrastructure security (Cybersecurity and Infrastructure Security Agency, 2024).

The second vulnerability, CVE-2024-1708, is related to CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’). Although it is considered less severe as it is unlocked by CVE-2024-1079, it must not be underestimated (Team Huntress, 2024). This vulnerability involves manipulating ZIP file paths when extracting its contents. Attackers can then modify these contents and execute malicious code (Poudel, 2024). To do this, a malicious actor needs to have both administrative credentials and create a malicious extension inside C:Program Files (x86)ScreenConnectApp_Extensions to write files anywhere within the folder (Team Huntress, 2024). Team Huntress showed that this ZipSlip attack was not necessary, as malicious actors can run code by accessing a ScreenConnect feature called “Extensions”. This could potentially go easily unnoticed in a system since no other extensions need to be installed (Team Huntress, 2024).

ConnectWise released a patched version of ScreenConnect on February 21st, 2024, and recommends updating all 23.9.7 and earlier versions to 23.9.8 (ConnectWise, 2024). As of today, February 22nd, 2024, 3,800 instances of ScreenConnect have been found vulnerable, and need to be updated to the latest version in order to prevent malicious actors from accessing the ScreenConnect environment. ConnectWise added that Cloud instances were automatically patched, while On-Prem partners need to install all the required updates manually to remediate against both vulnerabilities (ConnectWise).

IV. MITRE ATT&CK

  • T1592 – Gather Victim Host Information
    Adversaries may obtain crucial details about victim hosts, encompassing administrative data (e.g., name, assigned IP) and configuration specifics (e.g., operating system). This information is gathered through various methods, including direct actions like Active Scanning or Phishing, as well as compromising sites to collect data from visitors.
  • T1583.003 – Acquire Infrastructure: Botnet
    Adversaries may obtain compromised systems through purchasing, leasing, or renting botnets, which are networks of compromised systems. By utilizing these botnets, adversaries can orchestrate coordinated tasks, including subscribing to services like booter/stresser to launch large-scale activities such as Phishing or Distributed Denial of Service (DDoS) attacks.
  • T1190 – Exploit Public-Facing Application
    Adversaries may exploit weaknesses in internet-facing systems, targeting software bugs, glitches, or misconfigurations. This may involve websites, databases, standard services, or network protocols, potentially leading to compromise. Cloud-based or containerized applications could provide access to underlying infrastructure, cloud/container APIs, or exploitation of weak access management. Edge network infrastructure and appliances may also be targeted. Frameworks like OWASP and CWE can be used to identify common web vulnerabilities that adversaries may exploit.
  • T1078 – Valid Accounts
    Adversaries leverage compromised credentials for various purposes such as Initial Access, Persistence, Privilege Escalation, or Defense Evasion. These credentials can circumvent access controls for resources, provide persistent access to remote systems, and access services like VPNs or Outlook Web Access. Adversaries often opt for legitimate access to evade detection, and inactive accounts may be exploited to avoid detection. The overlap of permissions across systems poses a risk, allowing adversaries to pivot and attain high-level access, bypassing enterprise controls.
  • T1068 – Exploitation for Privilege Escalation
    Adversaries may exploit software vulnerabilities to elevate privileges, capitalizing on programming errors in operating systems or kernel code to execute adversary-controlled actions. When operating with lower privileges, adversaries target higher-privileged components to escalate access, potentially reaching SYSTEM or root permissions. By exploiting vulnerabilities in drivers, adversaries may introduce a Bring Your Own Vulnerable Driver (BYOVD) for kernel mode code execution.
  • T1110.002 – Brute Force: Password Cracking
    Adversaries use password cracking techniques to recover usable credentials, especially plaintext passwords, when they obtain credential material like password hashes. Techniques like OS Credential Dumping and Data from Configuration Repository can provide hashed credentials. Adversaries may systematically guess passwords or use pre-computed rainbow tables outside the target network to crack hashes, obtaining plaintext passwords for unauthorized access.
  • Other Relevant MITRE ATT&CK Techniques
    T1133, T1059, T1587.004, T1589, T1590, T1591, T1593.

V. Recommendations

  • Apply patches
    Prioritize patching key assets, known exploited vulnerabilities, and vulnerabilities in appliances frequently exploited by Volt Typhoon, such as Fortinet, Ivanti, NETGEAR, Citrix, and Cisco devices.
  • Limit internet exposure of systems
    An infrastructure’s primary attack surface is the combination of the exposure to all its internet-facing systems. One way to decrease the likelihood of a Volt Typhoon attack is to not expose systems to the internet when not necessary.
  • Secure credentials and sensitive data
    Ensure edge devices do not contain accounts or plaintext credentials that could provide admin access and ensure that only authenticated and authorized users can access the data.
  • Implement MFA and the principle of least privilege
    Make sure that MFA is enabled for every account and ensure administrator accounts only have the minimum permissions.
  • Secure remote access services
    Limit the use of RDP and other remote desktop services. If RDP is necessary, apply best practices, including auditing the network for systems using RDP, closing unused RDP ports, and logging RDP login attempts.
  • Implement network segmentation
    This practice can minimize the risk of lateral movement within networks, prevent and limit unauthorized access across domain boundaries, and isolate servers from other systems.
  • Secure cloud assets
    Revoke unnecessary public access to the cloud environment by ensuring that services such as storage accounts, databases, and VMs are not publicly accessible unless necessary.

VII. IOCs (Indicators of Compromise)

CVE-2024-1709

Type Indicator
PowerShell Script

C:{redacted}logins.ps1
Folder Path

C:UsersPublicpro
Folder Path

C:WindowsTemptmpActive Directoryntds.jfm
Folder Path

C:WindowsTemptmpActive Directoryntds.dit
Folder Path

C:UsersPublicDocumentssysteminfo.dat
Folder Path

C:UsersPublicDocumentsuser.dat
Folder Path

Folder Path C:Users{redacted}DownloadsHistory.zip
Folder Path

C:WindowsSystem32rult3uil.log
File Name

comsvcs.dll
File Name

NTDS.dit

File Name

SMSvcService.exe

File Name

Brightmetricagent.exe

SHA256 Hash

edc0c63065e88ec96197c8d7a40662a15a812a9583dc6c82b

18ecd7e43b13b70

SHA256 Hash

99b80c5ac352081a64129772ed5e1543d94cad708ba2adc4

6dc4ab7a0bd563f1

VII. References

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure | Cybersecurity and Infrastructure Security Agency CISA. (2024, February 7). https://www.cisa.gov/news-events/cybersecurity-advisories/aa24038a#_Appendix_C:_MITRE

U.S. government disrupts botnet people’s republic of China used to conceal hacking of critical infrastructure. Office of Public Affairs | United States Department of Justice. (2024, January 31). https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Alessandro Lovadina, Joy Boddu, Likhitha Duggi

2024-07-11T11:28:23-04:00April 1, 2024|
Read More

From Novice to Cyber Ninja: Mari Galloway’s Journey to Self Empowerment

Listen

From Novice to Cyber Ninja: Mari Galloway’s Journey to Self Empowerment

Mari Galloway, CEO of the Women’s Society of Cyberjutsu, is a woman whose magnetic presence ignites every room she enters. Her power radiates in an undeniable way through her hair, attire, and unwavering confidence, and the Do We Belong Here team wanted to know – did her light always shine this bright or did she work to cultivate it over time?

In this episode of Do We Belong Here, Tashya Denose and Pam Lindemoen speak with Mari about how she got “stuck” in the cyber world, eventually leading her to working in Vegas with the biggest casinos in the world. As they navigate through her experiences, the trio reflects on the adage that what happens in Vegas doesn’t always stay in Vegas, especially in the realm of cybersecurity.

The discussion explores Mari’s evolution of self-confidence as she reflects on the challenges of being a trailblazing black woman in a predominantly male-dominated field. They also dive deep into Mari’s chapter of “Securing Our Future” by the Black Women in Cyber Collective and explore the pivotal role of finding your community in fostering resilience and self-empowerment.

Women’s Society of Cyberjutsu – womenscyberjutsu.org

Connect with Mari on LinkedIn – linkedin.com/in/themarigalloway/

Find us on social media – @DoWeBelongPod

Learn more about Cyber Florida – cyberflorida.org

Watch the podcast on YouTube: youtube.com/@cybersecurityfl

2024-03-26T08:58:19-04:00March 26, 2024|
Read More

Cyber Florida Hosts the Inaugural CyberLaunch Competition

On March 1, 2024, Cyber Florida proudly hosted the inaugural CyberLaunch Competition in Orlando, Florida. The event marked a resounding success, with over 900 students from 97 schools and 44 districts uniting to test their cybersecurity skills, overcome new challenges, and network with potential employers in the cyber industry!

As Florida’s first statewide high school cybersecurity competition, CyberLaunch aimed to introduce high school students to the universe of cybersecurity careers through the fun of a statewide competition. The event provided a safe, cost-effective, and low-pressure environment for students to showcase their abilities, collaborate as teams, and gain valuable experience in the thrilling world of cybersecurity competitions.

CyberLaunch featured two competition tracks to cater to diverse skill levels, and both competitions were created with the help of EC-Council. The Guided competition was designed for competition beginners, and the Advanced Capture-The-Flag (CTF) was tailored for those with previous experience in CTF competitions.

Here are the notable winning teams from each category:

Guided Winning Teams –

1st place | NeoCity Academy (Osceola County) Teacher: Juan Tovar

2nd place | – Bayshore High School (Manatee County) Teacher: Chuck Routhier

3rd place | Doral Academy (Miami-Dade) Teacher: Jose Luis Del Valle/ Luis Santa Cruz

4th place | NeoCity Academy (Osceola County) Teacher: Juan Tovar

Advanced CTF Winning Teams:

1st place | John A. Ferguson Senior High School (Miami-Dade)Teacher: Maria Hernandez

2nd place | Crooms Academy of Information Technology (Seminole County) Teacher: Halima Fisher

3rd place | Hernando High School (Hernando County) Teacher: Mason Lewis

Beyond the competition, CyberLaunch featured an exhibit hall featuring more than 50 companies and organizations. Students had the chance to network with industry professionals, explore potential career paths, and gain insights into the diverse opportunities available in the ever-evolving field of cybersecurity.

This event not only celebrated the remarkable achievements of Florida’s high school students but also highlighted the crucial role educators play in nurturing the next generation of cybersecurity professionals. The Cyber Florida team is committed to continuing this journey of empowerment, fostering a future where students and teachers alike thrive in the vast and exciting landscape of cybersecurity possibilities.

Stay tuned for more details regarding the 2025 CyberLaunch Competition!

2024-07-26T10:06:05-04:00March 8, 2024|
Read More

Multiple Vulnerabilities Found in ConnectWise ScreenConnect

I. Targeted Entities

ConnectWise ScreenConnect customers

II. Introduction

A critical authentication bypass has been discovered in ConnectWise’s ScreenConnect, a software for remote desktop access. This exploit potentially allows attackers access to confidential information and critical systems without needing the proper credentials. Once authenticated via the authentication bypass, attackers can leverage a path-traversal vulnerability to potentially execute remote code inside critical systems.

III. Additional Background Information

On February 19, 2024, ConnectWise released a Threat Advisory for patching multiple vulnerabilities discovered in the company’s ScreenConnect software. ScreenConnect is a remote desktop and access software that can be used for direct connections to desktops, mobile devices, and more. The vulnerabilities, CVE-2024-1709 and CVE-2024-1708, were first reported on February 13th. These vulnerabilities have been classified as significantly exploitable with CVE-2024-1709 receiving a 10.0 critical base score and CVE-2024-1708 receiving an 8.4 high base score by NIST.

The first vulnerability, CVE-2024-1709, involves authentication bypass, which is directly related to CWE-288 – Authentication Bypass Using an Alternate Path or Channel. A flaw was found in a text file named “SetupWizard.aspx”, which has the functionality of setting up the administrative user and installing a license for the system. In unpatched versions, this setup file can be accessed even after the initial setup is completed. This is accomplished by adding additional components after the legitimate URL to SetupWizard.aspx (/SetupWizard.aspx/[anything]) and exploiting how the .NET framework handles URL paths. The code inside the text file does not check if the ScreenConnect instance setup has already been completed, making it possible for anyone to access the setup wizard and overwrite the internal user database, effectively gaining administrative access (Poudel, 2024).

The second vulnerability, CVE-2024-1708, is related to CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’). Although it is considered less severe as it is unlocked by CVE-2024-1079, it must not be underestimated (Team Huntress, 2024). This vulnerability involves manipulating ZIP file paths when extracting its contents. Attackers can then modify these contents and execute malicious code (Poudel, 2024). To do this, a malicious actor needs to have both administrative credentials and create a malicious extension inside C:Program Files (x86)ScreenConnectApp_Extensions to write files anywhere within the folder (Team Huntress, 2024). Team Huntress showed that this ZipSlip attack was not necessary, as malicious actors can run code by accessing a ScreenConnect feature called “Extensions”. This could potentially go easily unnoticed in a system since no other extensions need to be installed (Team Huntress, 2024).

ConnectWise released a patched version of ScreenConnect on February 21st, 2024, and recommends updating all 23.9.7 and earlier versions to 23.9.8 (ConnectWise, 2024). As of today, February 22nd, 2024, 3,800 instances of ScreenConnect have been found vulnerable, and need to be updated to the latest version in order to prevent malicious actors from accessing the ScreenConnect environment. ConnectWise added that Cloud instances were automatically patched, while On-Prem partners need to install all the required updates manually to remediate against both vulnerabilities (ConnectWise).

V. MITRE ATT&CK

  • T1190 – Exploit Public-Facing Applications
    Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Adversaries exploited CVE-2023-3519 to implant a webshell on the organization’s NetScaler ADC appliance.
  • T1068 – Exploitation for Privilege Escalation
    Adversaries may exploit software vulnerabilities to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.
  • T1105 – Ingress Tool Transfer
    Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command-and-control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment.
  • T1136 – Create Account
    Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.
  • T1203 – Exploitation for Client Execution
    Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution.

VI. Recommendations

  • On-premise users should immediately upgrade to ScreenConnect version 23.9.8 or later as these versions patch the vulnerabilities.
  • Refer to ConnectWise’s guide for upgrading to the newest software version: Upgrade an on-premises installation.
  • Refer to this link to download the newest ScreenConnect patches: ScreenConnect Patch Download
  • It is important to keep all software up to date with the latest patches.
  • Check your system for indicators of compromise in the last 30 days.

VII. IOCs (Indicators of Compromise)

CVE-2024-1709

Type Indicator
Threat Actor IP Address

155[.]133[.]5[.]15
Threat Actor IP Address

155[.]133[.]5[.]14
Threat Actor IP Address

118[.]69[.]65[.]60
Setup Wizard Sigma Rule Sigma Rule Github Page
ScreenConnect New User Database XML File Modification Sigma Rule Sigma Rule Github Page
Setup Wizard YARA Rule YARA Rule Github Page

CVE-2024-1708

Type Indicator
Threat Actor IP Address

155[.]133[.]5[.]15
Threat Actor IP Address

155[.]133[.]5[.]14
Threat Actor IP Address

118[.]69[.]65[.]60
App Extensions Directory Sigma Rule Sigma Rule Github Page

VII. Additional OSINT Information

Sigma rule for detecting requests made to the Setup Wizard with trailing paths (Huntress).

Sigma rule for detecting the ScreenConnect server writing to a temporary XML file (Huntress).

Setup Wizard YARA Rule for detecting Internet Information Services (IIS) log entries in reference to the SetupWizard (Huntress).

Sigma rule that alerts file modifications in the App_Extensions root directory (Huntress).

VIII. References

CVE-2024-1709. NIST. (n.d.-b). https://nvd.nist.gov/vuln/detail/CVE-2024-1709

CVE-2024-1708. NIST. (n.d.-a). https://nvd.nist.gov/vuln/detail/CVE-2024-1708

ConnectWise ScreenConnect 23.9.8 security fix. ConnectWise. (2024, February 19). https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

Detection guidance for ConnectWise CWE-288. Huntress. (2024a, February 20). https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2

Understanding the ConnectWise screenconnect CVE-2024-1709 & CVE-2024-1708: Huntress blog. Huntress. (2024, February 21). https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass

Mitre ATT&CK®. MITRE. (n.d.). https://attack.mitre.org/

Poudel, S. (2024, February 22). Unveiling the ScreenConnect authentication bypass (CVE-2024-1709 & CVE-2024-1708). Logpoint. https://www.logpoint.com/en/blog/emerging-threats/screenconnect-authentication-bypass/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Alessandro Lovadina, Benjamin Price

2024-07-11T11:28:47-04:00February 27, 2024|
Read More

Cyber Florida Partners with WiCyS and Cisco to Tell A Story of Women in Cybersecurity

TAMPA – February 15, 2024 – Cyber Florida, Women in CyberSecurity (WiCyS), and Cisco are honored to announce their partnership to help tell the story of women in the cybersecurity industry. The efforts will include a live session with Jenny Radcliffe, also known as the People Hacker, at the 2024 WiCyS conference in Nashville, Tennessee, and a documentary centered around the women of cyber.

This partnership is in direct collaboration with the Do We Belong Here Podcast powered by Cyber Florida. Do We Belong Here aims to provide women and allies in the cybersecurity industry with a space to share their experiences and engage in open conversations about the industry. The podcast is hosted by Tashya Denose and Cisco’s Chief Information Security Officer Advisor Pam Lindemoen, who describes this joint partnership as crucial because “Cisco’s commitment to fostering an inclusive future for all propels me towards initiatives such as this podcast. Our goal is to inspire, educate, and advocate for diversity, equity, and inclusion. We aim to attract a richly diverse, talented pool of individuals to our field, thereby fortifying the cybersecurity workforce. Through these efforts, I hope we embody and advance Cisco’s mission.”

“Partnerships like this allow us to put Cyber Florida on a national stage and make a greater impact while telling the untold stories of this industry. Cyber Florida recognizes there is a need to close the workforce gap and bring diverse personalities and perspectives into the field to help secure our nation,” said Cyber Florida Director Ernie Ferraresso.

The annual WiCyS conference is the premiere conference for recruiting, retaining, and advancing women in cybersecurity. Each year, the WiCyS conference brings together thousands of women and allies in cybersecurity in academia, research, and government, and industry. WiCyS is delighted to have Jenny Radcliffe speak at the conference , taking place April 11-13, 2024.

The session will focus on the experiences of Jenny Radcliffe and the role that perseverance has played in her life and career, with the intention of encouraging the WiCyS audience and all women of cyber to embrace their own unique power in this industry. “As a Social Engineer I know the power of stories, so I am delighted to support this event and excited to hear about the different routes into the industry from WiCyS and their members,” said Radcliffe.

“Keeping it real and letting folks know ‘yes, I do belong here’ is what this partnership is bringing to life,” states Dr. Janell Straach, WiCyS 2024 Conference Chair and WiCyS organization Chair of the Board. “At the WiCyS conference, we gather thousands of women in cybersecurity to not only highlight diverse talent but provide opportunities for education and networking.

Tickets for the 2024 WiCyS Conference go on sale February 19. Join us for your chance to witness this session and be a part of the story: www.wicys.org/events/wicys-2024/

Catch up on all the episodes of the Do We Belong Here Podcast: www.cyberflorida.org/dowebelongpod

About Cyber Florida
The Florida Center for Cybersecurity (also known as Cyber Florida) was established by the State of Florida in 2014 to make the Sunshine State one of the most cyber-secure in the nation by promoting cybersecurity education, research, and outreach in partnership with the 12 State University System of Florida (SUS) institutions. Hosted by the University of South Florida, the Center is committed to increasing the number of K-12 students interested in and prepared for careers in cybersecurity and related STEM disciplines.

About WiCyS
Women in CyberSecurity (WiCyS) is a nonprofit organization with international reach dedicated to the recruitment, retention and advancement of women in cybersecurity. WiCyS was founded by Dr. Ambareen Siraj in 2013 through a National Science Foundation grant awarded to Tennessee Tech University. In less than 10 years, it has grown into an organization (est. in 2017) representing a leading alliance between trailblazers from academia, government, and industry. WiCyS offers opportunities, trainings, events, and resources for its members. Strategic partners include Tier 1: Akamai, Amazon Web Services, Battelle, Bloomberg, Carnegie Mellon University – Software Engineering Institute, Cisco, Fortinet, Google, Lockheed Martin, Meta, Microsoft, Optum, Sandia National Laboratories, SentinelOne. Tier 2: AbbVie, Aristocrat, Dell Technologies, Intel, JPMorgan Chase & Co., LinkedIn, McKesson, Nike, NCC Group, Workday, Navy Federal Credit Union, Yubico Inc., DeVry University. To partner, visit http://www.wicys.org/support/strategic-partnerships/.

About Cisco
Cisco is the worldwide technology leader that securely connects everything to make anything possible. Our purpose is to power an inclusive future for all by helping our customers reimagine their applications, power hybrid work, secure their enterprise, transform their infrastructure, and meet their sustainability goals. Discover more on The Newsroom and follow us on Twitter at @Cisco.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. A listing of Cisco’s trademarks can be found at www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.

2024-02-15T10:35:15-05:00February 15, 2024|
Read More

CONTACT US

Cyber Florida at USF
4202 E. Fowler Avenue, ISA7020
Tampa, FL 33620

Office meetings by appointment only

PRIVACY POLICY

Copyright 2024 The Florida Center for Cybersecurity at the University of South Florida. Information on this website is made available for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney or cybersecurity professional with sufficient expertise necessary to address your specific needs. Use of this website does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.