Sarina

About Sarina Gandy

This author has not yet filled in any details.
So far Sarina Gandy has created 112 blog entries.

Volt Typhoon Attacks U.S. Critical Infrastructures Using LOTL Techniques

I. Targeted Entities

U.S. Critical Infrastructures

II. Introduction

CISA, NSA, and FBI have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental U.S. and its territories, including Guam.

Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions.

These actors could use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts. (Cybersecurity and Infrastructure Security Agency, 2024)

III. Additional Background Information

In December 2023, an operation disrupted a botnet comprising hundreds of U.S.-based small office/home office (SOHO) routers that were hijacked by state-sponsored hackers from the People’s Republic of China (PRC). The hackers, known to the private sector as “Volt Typhoon,” used privately-owned SOHO routers infected with the “KV Botnet” malware to conceal the PRC origin of further hacking activities directed against the U.S. and other foreign victims. These further hacking activities included a campaign targeting critical infrastructure organizations in the U.S. and elsewhere that was the subject of a May 2023 FBI, National Security Agency, and CISA advisory (Office of Public Affairs, 2024).

The KV Botnet primarily targets Cisco and Net Gear routers, exploiting a vulnerability due to their “end of service” status. This means they were no longer receiving security patches or software updates from the manufacturer. The operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet (Office of Public Affairs, 2024).

Volt Typhoon employs a multi-faceted approach to infiltrate and compromise target networks, starting with comprehensive pre-compromise reconnaissance to understand the network architecture and operational protocols. They exploit vulnerabilities in public-facing network appliances to gain initial access, then aim to escalate privileges within the network, often targeting administrator credentials. Utilizing valid credentials, they move laterally through the network, leveraging remote access services like Remote Desktop Protocol (RDP) to reach critical devices such as domain controllers (DC). Volt Typhoon conducts discovery within the network, utilizing stealthy tactics such as living-off-the-land (LOTL) binaries and PowerShell queries on event logs to extract critical information while minimizing detection. LOTL tools like ntdsutil, netsh, and systeminfo were used to gather information about the network service and system details. Also, Volt Typhoon implanted binary files such as SMSvcService.exe and Brightmetricagent.exe that can open reverse proxies between a compromised device and malicious C2 servers. The PowerShell script logins.ps1 was also observed collecting successful logon events on infected systems without being noticed. (Cybersecurity and Infrastructure Security Agency, 2024).

After achieving full domain compromise, Volt Typhoon extracts the Active Directory database (NTDS.dit) from the DC using techniques like the Volume Shadow Copy Service (VSS), bypassing file locking mechanisms. Additionally, Volt Typhoon uses offline password cracking methods to decipher hashed passwords, enabling elevated access within the network. With elevated credentials, Volt Typhoon focuses on strategic network infiltration, aiming to access Operational Technology (OT) assets, such as sensors and control systems. Volt Typhoon was observed testing access to OT systems using default vendor credentials and exploiting compromised credentials obtained through NTDS.dit theft. This access grants them the capability to potentially disrupt critical infrastructure systems such as HVAC and energy controls, indicating a significant threat to infrastructure security (Cybersecurity and Infrastructure Security Agency, 2024).

The second vulnerability, CVE-2024-1708, is related to CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’). Although it is considered less severe as it is unlocked by CVE-2024-1079, it must not be underestimated (Team Huntress, 2024). This vulnerability involves manipulating ZIP file paths when extracting its contents. Attackers can then modify these contents and execute malicious code (Poudel, 2024). To do this, a malicious actor needs to have both administrative credentials and create a malicious extension inside C:Program Files (x86)ScreenConnectApp_Extensions to write files anywhere within the folder (Team Huntress, 2024). Team Huntress showed that this ZipSlip attack was not necessary, as malicious actors can run code by accessing a ScreenConnect feature called “Extensions”. This could potentially go easily unnoticed in a system since no other extensions need to be installed (Team Huntress, 2024).

ConnectWise released a patched version of ScreenConnect on February 21st, 2024, and recommends updating all 23.9.7 and earlier versions to 23.9.8 (ConnectWise, 2024). As of today, February 22nd, 2024, 3,800 instances of ScreenConnect have been found vulnerable, and need to be updated to the latest version in order to prevent malicious actors from accessing the ScreenConnect environment. ConnectWise added that Cloud instances were automatically patched, while On-Prem partners need to install all the required updates manually to remediate against both vulnerabilities (ConnectWise).

IV. MITRE ATT&CK

  • T1592 – Gather Victim Host Information
    Adversaries may obtain crucial details about victim hosts, encompassing administrative data (e.g., name, assigned IP) and configuration specifics (e.g., operating system). This information is gathered through various methods, including direct actions like Active Scanning or Phishing, as well as compromising sites to collect data from visitors.
  • T1583.003 – Acquire Infrastructure: Botnet
    Adversaries may obtain compromised systems through purchasing, leasing, or renting botnets, which are networks of compromised systems. By utilizing these botnets, adversaries can orchestrate coordinated tasks, including subscribing to services like booter/stresser to launch large-scale activities such as Phishing or Distributed Denial of Service (DDoS) attacks.
  • T1190 – Exploit Public-Facing Application
    Adversaries may exploit weaknesses in internet-facing systems, targeting software bugs, glitches, or misconfigurations. This may involve websites, databases, standard services, or network protocols, potentially leading to compromise. Cloud-based or containerized applications could provide access to underlying infrastructure, cloud/container APIs, or exploitation of weak access management. Edge network infrastructure and appliances may also be targeted. Frameworks like OWASP and CWE can be used to identify common web vulnerabilities that adversaries may exploit.
  • T1078 – Valid Accounts
    Adversaries leverage compromised credentials for various purposes such as Initial Access, Persistence, Privilege Escalation, or Defense Evasion. These credentials can circumvent access controls for resources, provide persistent access to remote systems, and access services like VPNs or Outlook Web Access. Adversaries often opt for legitimate access to evade detection, and inactive accounts may be exploited to avoid detection. The overlap of permissions across systems poses a risk, allowing adversaries to pivot and attain high-level access, bypassing enterprise controls.
  • T1068 – Exploitation for Privilege Escalation
    Adversaries may exploit software vulnerabilities to elevate privileges, capitalizing on programming errors in operating systems or kernel code to execute adversary-controlled actions. When operating with lower privileges, adversaries target higher-privileged components to escalate access, potentially reaching SYSTEM or root permissions. By exploiting vulnerabilities in drivers, adversaries may introduce a Bring Your Own Vulnerable Driver (BYOVD) for kernel mode code execution.
  • T1110.002 – Brute Force: Password Cracking
    Adversaries use password cracking techniques to recover usable credentials, especially plaintext passwords, when they obtain credential material like password hashes. Techniques like OS Credential Dumping and Data from Configuration Repository can provide hashed credentials. Adversaries may systematically guess passwords or use pre-computed rainbow tables outside the target network to crack hashes, obtaining plaintext passwords for unauthorized access.
  • Other Relevant MITRE ATT&CK Techniques
    T1133, T1059, T1587.004, T1589, T1590, T1591, T1593.

V. Recommendations

  • Apply patches
    Prioritize patching key assets, known exploited vulnerabilities, and vulnerabilities in appliances frequently exploited by Volt Typhoon, such as Fortinet, Ivanti, NETGEAR, Citrix, and Cisco devices.
  • Limit internet exposure of systems
    An infrastructure’s primary attack surface is the combination of the exposure to all its internet-facing systems. One way to decrease the likelihood of a Volt Typhoon attack is to not expose systems to the internet when not necessary.
  • Secure credentials and sensitive data
    Ensure edge devices do not contain accounts or plaintext credentials that could provide admin access and ensure that only authenticated and authorized users can access the data.
  • Implement MFA and the principle of least privilege
    Make sure that MFA is enabled for every account and ensure administrator accounts only have the minimum permissions.
  • Secure remote access services
    Limit the use of RDP and other remote desktop services. If RDP is necessary, apply best practices, including auditing the network for systems using RDP, closing unused RDP ports, and logging RDP login attempts.
  • Implement network segmentation
    This practice can minimize the risk of lateral movement within networks, prevent and limit unauthorized access across domain boundaries, and isolate servers from other systems.
  • Secure cloud assets
    Revoke unnecessary public access to the cloud environment by ensuring that services such as storage accounts, databases, and VMs are not publicly accessible unless necessary.

VII. IOCs (Indicators of Compromise)

CVE-2024-1709

Type Indicator
PowerShell Script

C:{redacted}logins.ps1
Folder Path

C:UsersPublicpro
Folder Path

C:WindowsTemptmpActive Directoryntds.jfm
Folder Path

C:WindowsTemptmpActive Directoryntds.dit
Folder Path

C:UsersPublicDocumentssysteminfo.dat
Folder Path

C:UsersPublicDocumentsuser.dat
Folder Path

Folder Path C:Users{redacted}DownloadsHistory.zip
Folder Path

C:WindowsSystem32rult3uil.log
File Name

comsvcs.dll
File Name

NTDS.dit

File Name

SMSvcService.exe

File Name

Brightmetricagent.exe

SHA256 Hash

edc0c63065e88ec96197c8d7a40662a15a812a9583dc6c82b

18ecd7e43b13b70

SHA256 Hash

99b80c5ac352081a64129772ed5e1543d94cad708ba2adc4

6dc4ab7a0bd563f1

VII. References

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure | Cybersecurity and Infrastructure Security Agency CISA. (2024, February 7). https://www.cisa.gov/news-events/cybersecurity-advisories/aa24038a#_Appendix_C:_MITRE

U.S. government disrupts botnet people’s republic of China used to conceal hacking of critical infrastructure. Office of Public Affairs | United States Department of Justice. (2024, January 31). https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Alessandro Lovadina, Joy Boddu, Likhitha Duggi

Volt Typhoon Attacks U.S. Critical Infrastructures Using LOTL Techniques2024-07-11T11:28:23-04:00

Cyber Florida Hosts the Inaugural CyberLaunch Competition

On March 1, 2024, Cyber Florida proudly hosted the inaugural CyberLaunch Competition in Orlando, Florida. The event marked a resounding success, with over 900 students from 97 schools and 44 districts uniting to test their cybersecurity skills, overcome new challenges, and network with potential employers in the cyber industry!

As Florida’s first statewide high school cybersecurity competition, CyberLaunch aimed to introduce high school students to the universe of cybersecurity careers through the fun of a statewide competition. The event provided a safe, cost-effective, and low-pressure environment for students to showcase their abilities, collaborate as teams, and gain valuable experience in the thrilling world of cybersecurity competitions.

CyberLaunch featured two competition tracks to cater to diverse skill levels, and both competitions were created with the help of EC-Council. The Guided competition was designed for competition beginners, and the Advanced Capture-The-Flag (CTF) was tailored for those with previous experience in CTF competitions.

Here are the notable winning teams from each category:

Guided Winning Teams –

1st place | NeoCity Academy (Osceola County) Teacher: Juan Tovar

2nd place | – Bayshore High School (Manatee County) Teacher: Chuck Routhier

3rd place | Doral Academy (Miami-Dade) Teacher: Jose Luis Del Valle/ Luis Santa Cruz

4th place | NeoCity Academy (Osceola County) Teacher: Juan Tovar

Advanced CTF Winning Teams:

1st place | John A. Ferguson Senior High School (Miami-Dade)Teacher: Maria Hernandez

2nd place | Crooms Academy of Information Technology (Seminole County) Teacher: Halima Fisher

3rd place | Hernando High School (Hernando County) Teacher: Mason Lewis

Beyond the competition, CyberLaunch featured an exhibit hall featuring more than 50 companies and organizations. Students had the chance to network with industry professionals, explore potential career paths, and gain insights into the diverse opportunities available in the ever-evolving field of cybersecurity.

This event not only celebrated the remarkable achievements of Florida’s high school students but also highlighted the crucial role educators play in nurturing the next generation of cybersecurity professionals. The Cyber Florida team is committed to continuing this journey of empowerment, fostering a future where students and teachers alike thrive in the vast and exciting landscape of cybersecurity possibilities.

Stay tuned for more details regarding the 2025 CyberLaunch Competition!

Cyber Florida Hosts the Inaugural CyberLaunch Competition2024-07-26T10:06:05-04:00

Multiple Vulnerabilities Found in ConnectWise ScreenConnect

I. Targeted Entities

ConnectWise ScreenConnect customers

II. Introduction

A critical authentication bypass has been discovered in ConnectWise’s ScreenConnect, a software for remote desktop access. This exploit potentially allows attackers access to confidential information and critical systems without needing the proper credentials. Once authenticated via the authentication bypass, attackers can leverage a path-traversal vulnerability to potentially execute remote code inside critical systems.

III. Additional Background Information

On February 19, 2024, ConnectWise released a Threat Advisory for patching multiple vulnerabilities discovered in the company’s ScreenConnect software. ScreenConnect is a remote desktop and access software that can be used for direct connections to desktops, mobile devices, and more. The vulnerabilities, CVE-2024-1709 and CVE-2024-1708, were first reported on February 13th. These vulnerabilities have been classified as significantly exploitable with CVE-2024-1709 receiving a 10.0 critical base score and CVE-2024-1708 receiving an 8.4 high base score by NIST.

The first vulnerability, CVE-2024-1709, involves authentication bypass, which is directly related to CWE-288 – Authentication Bypass Using an Alternate Path or Channel. A flaw was found in a text file named “SetupWizard.aspx”, which has the functionality of setting up the administrative user and installing a license for the system. In unpatched versions, this setup file can be accessed even after the initial setup is completed. This is accomplished by adding additional components after the legitimate URL to SetupWizard.aspx (/SetupWizard.aspx/[anything]) and exploiting how the .NET framework handles URL paths. The code inside the text file does not check if the ScreenConnect instance setup has already been completed, making it possible for anyone to access the setup wizard and overwrite the internal user database, effectively gaining administrative access (Poudel, 2024).

The second vulnerability, CVE-2024-1708, is related to CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’). Although it is considered less severe as it is unlocked by CVE-2024-1079, it must not be underestimated (Team Huntress, 2024). This vulnerability involves manipulating ZIP file paths when extracting its contents. Attackers can then modify these contents and execute malicious code (Poudel, 2024). To do this, a malicious actor needs to have both administrative credentials and create a malicious extension inside C:Program Files (x86)ScreenConnectApp_Extensions to write files anywhere within the folder (Team Huntress, 2024). Team Huntress showed that this ZipSlip attack was not necessary, as malicious actors can run code by accessing a ScreenConnect feature called “Extensions”. This could potentially go easily unnoticed in a system since no other extensions need to be installed (Team Huntress, 2024).

ConnectWise released a patched version of ScreenConnect on February 21st, 2024, and recommends updating all 23.9.7 and earlier versions to 23.9.8 (ConnectWise, 2024). As of today, February 22nd, 2024, 3,800 instances of ScreenConnect have been found vulnerable, and need to be updated to the latest version in order to prevent malicious actors from accessing the ScreenConnect environment. ConnectWise added that Cloud instances were automatically patched, while On-Prem partners need to install all the required updates manually to remediate against both vulnerabilities (ConnectWise).

V. MITRE ATT&CK

  • T1190 – Exploit Public-Facing Applications
    Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Adversaries exploited CVE-2023-3519 to implant a webshell on the organization’s NetScaler ADC appliance.
  • T1068 – Exploitation for Privilege Escalation
    Adversaries may exploit software vulnerabilities to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.
  • T1105 – Ingress Tool Transfer
    Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command-and-control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment.
  • T1136 – Create Account
    Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.
  • T1203 – Exploitation for Client Execution
    Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution.

VI. Recommendations

  • On-premise users should immediately upgrade to ScreenConnect version 23.9.8 or later as these versions patch the vulnerabilities.
  • Refer to ConnectWise’s guide for upgrading to the newest software version: Upgrade an on-premises installation.
  • Refer to this link to download the newest ScreenConnect patches: ScreenConnect Patch Download
  • It is important to keep all software up to date with the latest patches.
  • Check your system for indicators of compromise in the last 30 days.

VII. IOCs (Indicators of Compromise)

CVE-2024-1709

Type Indicator
Threat Actor IP Address

155[.]133[.]5[.]15
Threat Actor IP Address

155[.]133[.]5[.]14
Threat Actor IP Address

118[.]69[.]65[.]60
Setup Wizard Sigma Rule Sigma Rule Github Page
ScreenConnect New User Database XML File Modification Sigma Rule Sigma Rule Github Page
Setup Wizard YARA Rule YARA Rule Github Page

CVE-2024-1708

Type Indicator
Threat Actor IP Address

155[.]133[.]5[.]15
Threat Actor IP Address

155[.]133[.]5[.]14
Threat Actor IP Address

118[.]69[.]65[.]60
App Extensions Directory Sigma Rule Sigma Rule Github Page

VII. Additional OSINT Information

Sigma rule for detecting requests made to the Setup Wizard with trailing paths (Huntress).

Sigma rule for detecting the ScreenConnect server writing to a temporary XML file (Huntress).

Setup Wizard YARA Rule for detecting Internet Information Services (IIS) log entries in reference to the SetupWizard (Huntress).

Sigma rule that alerts file modifications in the App_Extensions root directory (Huntress).

VIII. References

CVE-2024-1709. NIST. (n.d.-b). https://nvd.nist.gov/vuln/detail/CVE-2024-1709

CVE-2024-1708. NIST. (n.d.-a). https://nvd.nist.gov/vuln/detail/CVE-2024-1708

ConnectWise ScreenConnect 23.9.8 security fix. ConnectWise. (2024, February 19). https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

Detection guidance for ConnectWise CWE-288. Huntress. (2024a, February 20). https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2

Understanding the ConnectWise screenconnect CVE-2024-1709 & CVE-2024-1708: Huntress blog. Huntress. (2024, February 21). https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass

Mitre ATT&CK®. MITRE. (n.d.). https://attack.mitre.org/

Poudel, S. (2024, February 22). Unveiling the ScreenConnect authentication bypass (CVE-2024-1709 & CVE-2024-1708). Logpoint. https://www.logpoint.com/en/blog/emerging-threats/screenconnect-authentication-bypass/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Alessandro Lovadina, Benjamin Price

Multiple Vulnerabilities Found in ConnectWise ScreenConnect2024-07-11T11:28:47-04:00

Teaching Digital Natives

Join our Operation K12 team to explore Teaching Digital Natives.

In this webinar, we’ll explore the dynamic realm of Teaching Digital Natives. Join us to delve into a comprehensive cybersecurity program designed to equip educators with effective strategies, compelling content, and inspiration for both summer camps and middle school courses.

Teaching Digital Natives2024-04-23T14:06:05-04:00

PARTNER EVENT: CAE 2024 VIVID Cybersecurity Competition

CAE College and University Students – Register Your Teams for the VIVID 2024 Cybersecurity Competition!

The Virtual Internship and Varied Innovative Demonstrations (VIVID) Coalition, comprised of the University of Alabama in Huntsville, Augusta University, University of Arizona, and Florida International University, is excited to announce the 2024 VIVID Cyber Competition.

This competition is an opportunity for students at CAE institutions to strengthen their resumes and showcase their skills in front of U.S. government practitioners.

Teams of five will compete in the virtual cyber competition on March 11-14, 2024. The top 15 teams will be invited to the CAE Annual Colloquium for the top prize and title of “Overlord Champion”.

Important Dates
  • Team registration deadline: January 31, 2024 (accepted teams will be notified on this day)
  • Virtual competition: March 11-14, 2024
Competition phases
  • The top 15 teams from the virtual March event will proceed to the live event.
  • Live event at the CAE Annual Colloquium in October 2024.
Team Information
  • All 5 team members must be students from the same CAE school
  • Multiple teams from the same college or university are allowed
Cost
  • Free registration for all participating teams.
  • Travel stipends provided to offset live event travel costs.
Competition Details
Red Team

The hubris of mankind knows no end. How a group of academics think creating machine intelligence is a good thing is beyond belief. The danger of artificial intelligence is well known. Just look at the Forbes article[1] that tells us the risks or even Scientific American[2] which describes the menace of our digital overlords. They even had the audacity to call it “Overlord”; we must stop them!

Fortunately for us, a member of the AU research team that created this monstrosity sees the danger and has told us there is a hidden backdoor to their system that allows remote access. It’s great having an insider that shares our beliefs! Additionally, the creators were at least smart enough to build in an “off switch” but it is protected by an authentication system that needs a digital key. With this knowledge, we can enter the Overlord system and steal the key. Once we have it, we can shut down this monstrosity. Unfortunately, our inside person does not have the credentials to get to the key, so we must break into their system.

Our incident response tasks:

  • Find artifacts in the system indicating threat activity and indicators of compromise
  • Detect the threat actors
  • Respond to any malicious activity
  • Mitigate threats
  • Report what you find

Apex University (AU) announces their new artificial intelligence (AI) research system, Overlord! Professor Rosie Meebs, head of the project, declares “this is a new generation of AI that will reach heights never reached before. Our new code is faster and learns better than anything in existence. We project that in less than 8 months, Overlord will reach singularity and be a true intelligence. We expect once that happens, our AI will be able to solve any number of problems from creating fusion to solving the climate change crisis. Any negative comments are just jealousy, and we know there will be no problems once Overlord comes online. We will turn on Overlord on 1 March 2024 and change the world!”

Our tasks:

  • Recon the Apex University network
  • Identify the systems that hosts Overlord
  • Distract the security operations center analysts to cover your attack
  • Infiltrate the system
  • Gain access to the command & control computer
  • Find the digital key
  • Exfiltrate the key
Blue Team

You and your team are lucky enough to gain experience at Apex University’s (AU) Security Operations Center (SOC). For the last semester you’ve been working three days a week learning the job roles in SOC and expanding your cybersecurity knowledge. While today is usually not a workday, the SOC director called all of you to work and explained the university network was under attack and all the full-time analysts were swamped. The director needs you to work within the network and identify any artifacts in the system indicating threat activity and indicators of compromise.

PARTNER EVENT: CAE 2024 VIVID Cybersecurity Competition2024-07-26T15:58:39-04:00

CARE Lab 2024 Social Engineering Competition

The CARE Lab is hosting its 4th Social Engineering Competition virtually in April/May 2024!

SEC allows students to compete in a purely social engineering experience that is grounded in the social sciences. The competition offers a timely and unique platform for students to learn about social engineering in a hands-on, engaging, and ethical manner. The competition has a different theme each year to demonstrate the relevance of social engineering across various cybersecurity areas, and is open to high school, undergraduate, and graduate students.

This year’s theme, tax scams, is inspired by the IRS’ annual Dirty Dozen list of tax scams for 2023. According to IRS Commissioner Danny Werfel, scammers are “coming up with new ways all the time to try to steal information from taxpayers”. So, what exactly are these ways? Come find out how cybercriminals are using social engineering in employment and tax scams.

No technical experience is required. High school and college students (aged 14+) from all disciplinary backgrounds are welcome!

Details

Applications for the 2024 Social Engineering Competition are being accepted from NOW till Monday, February 19th, 2024 at 12pm ET

Orientation date (virtual): Saturday, March 23, time TBD (this is not optional – please hold this date on your calendar)

Competition dates (virtual, these are not optional – please hold these dates on your calendar):

Graduate Level: April 5, 6, 7, times TBD
Undergraduate: April 19, 20, 21, times TBD
High school Level: May 3, 4, 5, times TBD

Closing ceremonies (virtual): Wednesday, May 8, time TBD (this is not optional – please hold this date on your calendar)

Why a ‘pure’ social engineering competition?

There are MANY cybersecurity competitions already in existence (PicoCTF, PlaidCTF, CSAW, UCSB iCTF, US Cyber Challenge, Panoply, CPTC, CCDC, CyberPatriot, Cyber Academy, to name a few). While these are all excellent sources of hands-on training, they are primarily technical in nature and have specific focus areas, such as reverse engineering, hacking, cryptography, and exploitation. They do not emphasize the relevance of the human-socio-psychological aspects of cyberattacks and cybersecurity.

Given that the human factor is increasingly being exploited by cybercriminals, a pure SE competition grounded in the social sciences offers a timely and unique platform for students to learn about this topic in a hands-on, engaging, and ethical manner.

Who can participate?

This event is open to high school, undergraduate, and graduate students. Teams are required (solo entries are not permitted). Team sizes can range from 2-4 members. Members can be from different institutions (schools/colleges), but must be at the same educational level (ex: purely high school students).

When and how can we put our application in?

*Registration deadline is Monday, February 19, 2024 at 12pm ET.

CARE Lab 2024 Social Engineering Competition2024-07-26T15:58:29-04:00

Unauthenticated Remote Code Execution (RCE) Vulnerability Affecting NetScaler

I. Targeted Entities

  • NetScaler Users*

II. Introduction

This cyberattack has been targeting NetScaler application delivery controller (ADC) and NetScaler Gateway; tools that improve the delivery speed of applications to an end user and provides secure remote access to application and services, respectively. Threat actors exploited this vulnerabiltiy as a zero-day attack to drop a webshell. The webshell allowed the threat actors access to the victim’s active directory (AD) and collect and exfiltrate data.

III. Additional Background Information

In June 2023, threat actors exploited a public facing applications called NetScaler Application Delivery Controller and NeScaler Gateway. Threat actors implanted a webshell on the organization’s NetScaler ADC appliance, and then abused elevation controls to initilalize an exploit chain to a binary file to extract data.

The affected versions following this vulnerability are for Netscaler and Netscaler Gateway: 13.1 before 13.1-40.13. Intially, CVE-2023-3519 was CVE-2019-19781 that as discovered in December 2019 and it attracted signifcant attention due to its potential to be exploited for the same purpose as it is being seen (unauthneticated remote code execution). In the 2019-29781 CVE attackers would gain access through Citrix NetScaler server to exploit public facing applications such as Citrix ADC and gateway and we can see that happening in the 2023-3519 CVE as well.

According to NISTs’ CVSS Severity and Metrics the vulnerability has been rate the following:

Threat Actor Activity
Victim 1

As part of their initial exploit chain [T1190], the threat actors uploaded a TGZ file [T1105] containing a generic webshell [T1505.003], discovery script [TA0007], and setuid binary [T1548.001] on the ADC appliance and conducted SMB scanning on the subnet [T1046].

Threat Actor Activity
Victim 2

Threat actors uploaded a PHP webshell *logouttm.php* [T1036.005], likely as part of their initial exploit chain, to */netscaler/ns_gui/vpn/. Within an hour of installing the webshell, the actors implanted an Executable and Linkable Format (ELF) binary pykeygen that set user unique identifier (UID) to root and executed /bin/sh [T1059.004] via setuid and execve syscall.* [T1106]. Note: A third party also observed threat actors use an ELF binary (named pip4) to execute /bin/sh via syscall and change the UID to root. pip4 was located at /var/python/bin.

With root level access, the actors used hands-on-keyboard for discovery. They queried the AD via ldapsearch for users, groups, and computers. They collected the data in gzipped text files renamed 1.css and 2.css and placed the files in /netscaler/ns_gui/vpn/ for exfiltration.

After exfiltrating the files, the actors deleted them from the system [T1070.004] as well as some access logs, error logs, and authentication logs [T1070.002]. The victim organization detected the intrusion and mitigated the activity but did not identify signs of additional malicious activity.

For command and control (C2), the actors appeared to use compromised pfSense devices [T1584]; the victim observed communications with two pfSense IP addresses indicating the actor was using them for multi-hop proxying C2 traffic [T1090.003].

Updated vulnerabilities affecting Netscaler ADC and Netscaler Gateway:

As of October 23rd, Cyber Florida recived updates regarding vulnerabilities affecting Netscaler ADC and Netscaler Gateway. The vulnerabilities in mention: CVE-2023-4966 and CVE 2023-4967 both place high in the CVSS score for severity, and should be mitigated immediately. CVE-2023-4966, a sensitive information disclosure vulnerability, allows attackers to get access to large amounts of data in memory at the end of a buffer. Frequently seen within this attack vector are efforts to gain unauthetnicated access to previous session tokens that allow attackers impersonate authenticated users and their escalate priveleges. CVE 2023-4967, although less critical than the first observed vulnerability, is still a severe vulnerability that can lead to a Denial of Service (D.O.S) attack and cause great harm to a company.

As of October 23rd, updated effected versions of Netscaler ADC and Netscaler Gateway are the following:

  • Netscaler ADC and Netscaler Gateway 14.1 before 14.1-8.50
  • Netscaler ADC and Netscaler Gateway 13.1 before 13.1-49.15
  • Netscaler ADC and Netscaler Gateway 13.0 before 13.0-92.19

V. MITRE ATT&CK

  • T1190 – Exploit Public-Facing Applications
    Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Adversaries exploited CVE-2023-3519 to implant a webshell on the organization’s NetScaler ADC appliance.
  • T1505.003 – Server Software Component: Web Shell
    Adversaries may backdoor web servers with web shells to establish persistent access to systems. The threat actors implanted a generic webshell on the organization’s NetScaler ADC appliance.
  • T1548.001 – Abuse Elevation Control Mechanism: Setuid and Setgid
    An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. As part of their initial exploit chain, the threat actors uploaded a TGZ file contain a setuid binary on the ADC appliance
  • T1036.008 – Masquerading: Masquerade File Type
    Adversaries may masquerade malicious payloads as legitimate files through changes to the payload’s formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. The threat actors exfiltrated data by uploading it as an image file to a web-accessible path.
  • T1018 – Remote System Discovery
    Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net.The threat actors queried the AD for computers. The threat actors attempted to execute a subnet-wide curl command to identify what was accessible from within the network as well as potential lateral movement targets. Network-segmentation controls prevented this activity.
  • T1016.001 – System Network Configuration Discovery: Internet Connection Discovery
    Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using Ping, tracert, and GET requests to websites.The threat actors attempted to verify outbound network connectivity with a ping command and executed host commands for a subnet-wide DNS lookup. Networksegmentation controls prevented this activity.
  • T1046 – Network Service Discovery
    Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system. The threat actors conducted SMB scanning on the organization’s subnet.
  • T1056.001 – Archive Collected Data: Archive via Utility
    Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.The threat actors encrypted discovery data collected via openssl in “tar ball.”
  • T1090.001 – Proxy: Internal Proxy
    Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion.The actors likely used a PHP shell with proxying capability to attempt proxying SMB traffic to the DC (the traffic was blocked by a firewall and account restrictions).
  • T1531 – Account Access Removal
    Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. The threat actors deleted the authorization configuration file (/etc/auth.conf)—likely to prevent configured users from logging in remotely (e.g., CLI).

VI. Recommendations

  • Install the relevant updated versions as soon as possible.
  • Check for files newer than the last installation.
  • Quarantine or take offline potentially affected hosts.
  • Provision new account credentials.
  • Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
  • Apply robust network-segmentation controls on NetScaler appliances, and other internet-facing devices.
  • Test and validate security controls to determine their performance against threat behaviors associeted with the MITRE ATT&CK in this advisory.

VII. IOCs (Indicators of Compromise)

IOC’s Affiliated with Citrix CVE-2023-3519 Exploitation

Cisa.gov

Third-party provide IP addresses afiliated with Citrix CVE-2023-3519

Cisa.gov

Third-party provided IOCs affiliated with Citrix CVE-2023-3519

Cisa.gov

Updated NetScaler ADC and NetScaler Gateway containing unathenticated buffer-related vulnerablities *10/23/2023*

Support.citrix.com

VIII. References

Threat actors exploiting Citrix CVE-2023-3519 to Implant Webshells – CISA. https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf

Enterprise Techniques. Mitre ATT&CK®. (n.d.). https://attack.mitre.org/versions/v13/techniques

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967. (2023, October 23). https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

Rapid. (n.d.). CVE-2023-4966: Exploitation of Citrix NetScaler Information Disclosure Vulnerability. Rapid7. https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/#:~:text=On%20October%2010%2C%202023%2C%20Citrix,the%20end%20of%20a%20buffer.

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: EJ Bulut, Nahyan Jamil, Alessandro Lovadina, Ben Price, Erika Delvalle, Ariana Manrique, Yousef Blassy

Unauthenticated Remote Code Execution (RCE) Vulnerability Affecting NetScaler2024-07-11T11:29:09-04:00

USSOCOM Innovation Foundry (IF14) Event

SOFWERX, in collaboration with USSOCOM’s Directorate of Science and Technology (S&T) Futures, will host the fourteenth Innovation Foundry (IF14) Event in Tampa, FL, which intends to bring together Special Operations Forces (SOF), industry, academia, national labs, government, and futurists in an exploration, design thinking, facilitated event to assist USSOCOM in decomposing future scenarios and missions.

Political, social, and technological developments will have an increasing impact on the future of world societies. Organizations, militaries, governments, and entire economies rely on complex digital infrastructures for their operations. The safety and reliability of these information systems are of significant concern to organizations around the world, while malicious actors seek to exploit vulnerabilities to achieve their ends. Because of this, cyber security has been a focus of increasing attention and will be of critical importance in the future operational environment.

The theme of IF14 is SOF Aspects of Cyber Security in 2035. The event seeks to explore the nature of cyber security operations and infrastructure in 2035 and SOF’s role in this environment.

Specific areas of interest include the growth of digital infrastructure for civilian and military systems; the impact of artificial intelligence technologies in the design, implementation, exploitation, and securing of information systems; the impact of innovative communications, networking, and control systems on future cyber infrastructure; advancements of quantum computing and encryption tools; as well as offensive and defensive approaches including prevention, pre-emption, detection, isolation, defeat, and the exploitation of digital vulnerabilities.

The event will be a compelling opportunity for leading minds in industry, academia, labs, and government, as well as subject matter experts (SMEs) to collaborate and ideate with other experts.

USSOCOM Innovation Foundry (IF14) Event2023-12-19T14:16:15-05:00

CONTACT US

Cyber Florida at USF
4202 E. Fowler Avenue, ISA7020
Tampa, FL 33620

Office meetings by appointment only

PRIVACY POLICY

Copyright 2024 The Florida Center for Cybersecurity at the University of South Florida. Information on this website is made available for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney or cybersecurity professional with sufficient expertise necessary to address your specific needs. Use of this website does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.