In this webinar, we’ll explore the dynamic realm of Teaching Digital Natives. Join us to delve into a comprehensive cybersecurity program designed to equip educators with effective strategies, compelling content, and inspiration for both summer camps and middle school courses.
The Virtual Internship and Varied Innovative Demonstrations (VIVID) Coalition, comprised of the University of Alabama in Huntsville, Augusta University, University of Arizona, and Florida International University, is excited to announce the 2024 VIVID Cyber Competition.
This competition is an opportunity for students at CAE institutions to strengthen their resumes and showcase their skills in front of U.S. government practitioners.
Teams of five will compete in the virtual cyber competition on March 11-14, 2024. The top 15 teams will be invited to the CAE Annual Colloquium for the top prize and title of “Overlord Champion”.
The hubris of mankind knows no end. How a group of academics think creating machine intelligence is a good thing is beyond belief. The danger of artificial intelligence is well known. Just look at the Forbes article[1] that tells us the risks or even Scientific American[2] which describes the menace of our digital overlords. They even had the audacity to call it “Overlord”; we must stop them!
Fortunately for us, a member of the AU research team that created this monstrosity sees the danger and has told us there is a hidden backdoor to their system that allows remote access. It’s great having an insider that shares our beliefs! Additionally, the creators were at least smart enough to build in an “off switch” but it is protected by an authentication system that needs a digital key. With this knowledge, we can enter the Overlord system and steal the key. Once we have it, we can shut down this monstrosity. Unfortunately, our inside person does not have the credentials to get to the key, so we must break into their system.
Our incident response tasks:
Apex University (AU) announces their new artificial intelligence (AI) research system, Overlord! Professor Rosie Meebs, head of the project, declares “this is a new generation of AI that will reach heights never reached before. Our new code is faster and learns better than anything in existence. We project that in less than 8 months, Overlord will reach singularity and be a true intelligence. We expect once that happens, our AI will be able to solve any number of problems from creating fusion to solving the climate change crisis. Any negative comments are just jealousy, and we know there will be no problems once Overlord comes online. We will turn on Overlord on 1 March 2024 and change the world!”
Our tasks:
You and your team are lucky enough to gain experience at Apex University’s (AU) Security Operations Center (SOC). For the last semester you’ve been working three days a week learning the job roles in SOC and expanding your cybersecurity knowledge. While today is usually not a workday, the SOC director called all of you to work and explained the university network was under attack and all the full-time analysts were swamped. The director needs you to work within the network and identify any artifacts in the system indicating threat activity and indicators of compromise.
SEC allows students to compete in a purely social engineering experience that is grounded in the social sciences. The competition offers a timely and unique platform for students to learn about social engineering in a hands-on, engaging, and ethical manner. The competition has a different theme each year to demonstrate the relevance of social engineering across various cybersecurity areas, and is open to high school, undergraduate, and graduate students.
This year’s theme, tax scams, is inspired by the IRS’ annual Dirty Dozen list of tax scams for 2023. According to IRS Commissioner Danny Werfel, scammers are “coming up with new ways all the time to try to steal information from taxpayers”. So, what exactly are these ways? Come find out how cybercriminals are using social engineering in employment and tax scams.
No technical experience is required. High school and college students (aged 14+) from all disciplinary backgrounds are welcome!
Orientation date (virtual): Saturday, March 23, time TBD (this is not optional – please hold this date on your calendar)
Competition dates (virtual, these are not optional – please hold these dates on your calendar):
Graduate Level: April 5, 6, 7, times TBD
Undergraduate: April 19, 20, 21, times TBD
High school Level: May 3, 4, 5, times TBD
Closing ceremonies (virtual): Wednesday, May 8, time TBD (this is not optional – please hold this date on your calendar)
Why a ‘pure’ social engineering competition?
There are MANY cybersecurity competitions already in existence (PicoCTF, PlaidCTF, CSAW, UCSB iCTF, US Cyber Challenge, Panoply, CPTC, CCDC, CyberPatriot, Cyber Academy, to name a few). While these are all excellent sources of hands-on training, they are primarily technical in nature and have specific focus areas, such as reverse engineering, hacking, cryptography, and exploitation. They do not emphasize the relevance of the human-socio-psychological aspects of cyberattacks and cybersecurity.
Given that the human factor is increasingly being exploited by cybercriminals, a pure SE competition grounded in the social sciences offers a timely and unique platform for students to learn about this topic in a hands-on, engaging, and ethical manner.
Who can participate?
This event is open to high school, undergraduate, and graduate students. Teams are required (solo entries are not permitted). Team sizes can range from 2-4 members. Members can be from different institutions (schools/colleges), but must be at the same educational level (ex: purely high school students).
When and how can we put our application in?
*Registration deadline is Monday, February 19, 2024 at 12pm ET.
This cyberattack has been targeting NetScaler application delivery controller (ADC) and NetScaler Gateway; tools that improve the delivery speed of applications to an end user and provides secure remote access to application and services, respectively. Threat actors exploited this vulnerabiltiy as a zero-day attack to drop a webshell. The webshell allowed the threat actors access to the victim’s active directory (AD) and collect and exfiltrate data.
In June 2023, threat actors exploited a public facing applications called NetScaler Application Delivery Controller and NeScaler Gateway. Threat actors implanted a webshell on the organization’s NetScaler ADC appliance, and then abused elevation controls to initilalize an exploit chain to a binary file to extract data.
The affected versions following this vulnerability are for Netscaler and Netscaler Gateway: 13.1 before 13.1-40.13. Intially, CVE-2023-3519 was CVE-2019-19781 that as discovered in December 2019 and it attracted signifcant attention due to its potential to be exploited for the same purpose as it is being seen (unauthneticated remote code execution). In the 2019-29781 CVE attackers would gain access through Citrix NetScaler server to exploit public facing applications such as Citrix ADC and gateway and we can see that happening in the 2023-3519 CVE as well.
According to NISTs’ CVSS Severity and Metrics the vulnerability has been rate the following:
Threat Actor Activity
Victim 1
As part of their initial exploit chain [T1190], the threat actors uploaded a TGZ file [T1105] containing a generic webshell [T1505.003], discovery script [TA0007], and setuid binary [T1548.001] on the ADC appliance and conducted SMB scanning on the subnet [T1046].
Threat Actor Activity
Victim 2
Threat actors uploaded a PHP webshell *logouttm.php* [T1036.005], likely as part of their initial exploit chain, to */netscaler/ns_gui/vpn/. Within an hour of installing the webshell, the actors implanted an Executable and Linkable Format (ELF) binary pykeygen that set user unique identifier (UID) to root and executed /bin/sh [T1059.004] via setuid and execve syscall.* [T1106]. Note: A third party also observed threat actors use an ELF binary (named pip4) to execute /bin/sh via syscall and change the UID to root. pip4 was located at /var/python/bin.
With root level access, the actors used hands-on-keyboard for discovery. They queried the AD via ldapsearch for users, groups, and computers. They collected the data in gzipped text files renamed 1.css and 2.css and placed the files in /netscaler/ns_gui/vpn/ for exfiltration.
After exfiltrating the files, the actors deleted them from the system [T1070.004] as well as some access logs, error logs, and authentication logs [T1070.002]. The victim organization detected the intrusion and mitigated the activity but did not identify signs of additional malicious activity.
For command and control (C2), the actors appeared to use compromised pfSense devices [T1584]; the victim observed communications with two pfSense IP addresses indicating the actor was using them for multi-hop proxying C2 traffic [T1090.003].
Updated vulnerabilities affecting Netscaler ADC and Netscaler Gateway:
As of October 23rd, Cyber Florida recived updates regarding vulnerabilities affecting Netscaler ADC and Netscaler Gateway. The vulnerabilities in mention: CVE-2023-4966 and CVE 2023-4967 both place high in the CVSS score for severity, and should be mitigated immediately. CVE-2023-4966, a sensitive information disclosure vulnerability, allows attackers to get access to large amounts of data in memory at the end of a buffer. Frequently seen within this attack vector are efforts to gain unauthetnicated access to previous session tokens that allow attackers impersonate authenticated users and their escalate priveleges. CVE 2023-4967, although less critical than the first observed vulnerability, is still a severe vulnerability that can lead to a Denial of Service (D.O.S) attack and cause great harm to a company.
As of October 23rd, updated effected versions of Netscaler ADC and Netscaler Gateway are the following:
IOC’s Affiliated with Citrix CVE-2023-3519 Exploitation
Third-party provide IP addresses afiliated with Citrix CVE-2023-3519
Third-party provided IOCs affiliated with Citrix CVE-2023-3519
Updated NetScaler ADC and NetScaler Gateway containing unathenticated buffer-related vulnerablities *10/23/2023*
Threat actors exploiting Citrix CVE-2023-3519 to Implant Webshells – CISA. https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf
Enterprise Techniques. Mitre ATT&CK®. (n.d.). https://attack.mitre.org/versions/v13/techniques
NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967. (2023, October 23). https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
Rapid. (n.d.). CVE-2023-4966: Exploitation of Citrix NetScaler Information Disclosure Vulnerability. Rapid7. https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/#:~:text=On%20October%2010%2C%202023%2C%20Citrix,the%20end%20of%20a%20buffer.
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: EJ Bulut, Nahyan Jamil, Alessandro Lovadina, Ben Price, Erika Delvalle, Ariana Manrique, Yousef Blassy
SOFWERX, in collaboration with USSOCOM’s Directorate of Science and Technology (S&T) Futures, will host the fourteenth Innovation Foundry (IF14) Event in Tampa, FL, which intends to bring together Special Operations Forces (SOF), industry, academia, national labs, government, and futurists in an exploration, design thinking, facilitated event to assist USSOCOM in decomposing future scenarios and missions.
Political, social, and technological developments will have an increasing impact on the future of world societies. Organizations, militaries, governments, and entire economies rely on complex digital infrastructures for their operations. The safety and reliability of these information systems are of significant concern to organizations around the world, while malicious actors seek to exploit vulnerabilities to achieve their ends. Because of this, cyber security has been a focus of increasing attention and will be of critical importance in the future operational environment.
The theme of IF14 is SOF Aspects of Cyber Security in 2035. The event seeks to explore the nature of cyber security operations and infrastructure in 2035 and SOF’s role in this environment.
Specific areas of interest include the growth of digital infrastructure for civilian and military systems; the impact of artificial intelligence technologies in the design, implementation, exploitation, and securing of information systems; the impact of innovative communications, networking, and control systems on future cyber infrastructure; advancements of quantum computing and encryption tools; as well as offensive and defensive approaches including prevention, pre-emption, detection, isolation, defeat, and the exploitation of digital vulnerabilities.
The event will be a compelling opportunity for leading minds in industry, academia, labs, and government, as well as subject matter experts (SMEs) to collaborate and ideate with other experts.
Norwegian authorities recently revealed a critical zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), posing a significant security threat. The flaw enables unauthenticated remote attackers to bypass authentication and gain access to the server’s API, potentially leading to data theft and unauthorized system modifications.
On July 24th, the Norwegian Government Security and Service Organization (DSS) and the Norwegian National Security Agency (NSM) informed the public about a zero day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), a mobile management software that can be used for mobile device management and mobile application/content management (Tenable). This vulnerability has received a maximum CVSS score of 10, which means that it is very easy to exploit and does not require particular tools or skills to do so (Mnemonic).
This vulnerability, classified as CVE-2023-35078, is an authentication bypass in Ivanti’s EPMM. An unauthenticated, remote attacker could exploit this vulnerability to gain access to the server’s application program interface (API), normally accessible only to authenticated users (Tenable). Successful exploitation would allow an attacker to be able to access “specific API paths”. By utilizing these unrestricted API paths, a malicious actor could potentially steal personally identifiable information (PII) such as names, phone numbers, and other mobile device details. An attacker can also make other configuration changes, including the creation of an EPMM administrative account on the server that can make further changes to a vulnerable system (CISA). The attack consists of changing the URI path to the API v2, which can in fact be accessed without any authentication methods (Mnemonic). According to the API documentation, all API calls are based on the URL format: https://[core-server]/api/v2/. If we add the path to a vulnerable endpoint, it is easy to execute commands withouth needing authentication, as shown here: https://[core-server]/vulnerable/path/api/v2. Luckily, it is fairly simple to detect whether the vulnerability has been exploited in a system. This can be done by checking the logs from the mobile management software to determine if the API v2 endpoint in Ivanti’s EPMM has been targeted (Uzun). This may be evident if regular API calls to unusual paths are present in the logs.
Ivanti reported that the vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older unsupported versions/releases are also at risk (CISA). Furthermore, the company has promptly issued security patches for the EPMM vulnerability. Customers can fix it by upgrading the software to EPMM versions 11.8.1.1, 11.9.1.1, and 11.10.0.2. These fixed versions cover also unsupported and End-of-Life (EoL) software versions that are lower than 11.8.1.0 (Uzun).
According to the articles posted by Ivanti, the vulnerability was exploited in the wild as a zero-day against a small number of customers (Tenable). However, it is known that the unnamed attackers utilized this flaw to compromise 12 government ministries in Norway (Muncaster).
Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Manage Default Accounts on Enterprise Assets and Software: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Mnemonic. (2023, July 25). Advisory: Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability. https://www.mnemonic.io/resources/blog/ivanti-endpoint-manager-mobileepmm-authentication-bypass-vulnerability/
Tenable®. (2023, July 25). CVE-2023-35078: IVaNti Endpoint Manager Mobile (EPMM) / MobileIron Core Unauthenticated API Access vulnerability. https://www.tenable.com/blog/cve-2023-35078-ivanti-endpoint-managermobile-epmm-mobileiron-core-unauthenticated-api-access
Uzun, T. (2023, July 25). Critical Zero-Day in Ivanti EPMM (Formerly MobileIron Core) is actively exploited (CVE-2023-35078). SOCRadar® Cyber Intelligence Inc. https://socradar.io/critical-zero-day-in-ivanti-epmm-formerly-mobileiron-core-isactively-exploited-cve-2023-35078/
Cybersecurity and Infrastructure Security Agency CISA. (2023, July 24). Ivanti releases security updates for Endpoint Manager Mobile (EPMM) CVE-2023-35078. https://www.cisa.gov/news-events/alerts/2023/07/24/ivanti-releases-securityupdates-endpoint-manager-mobile-epmm-cve-2023-35078
Muncaster, P. (2023, July 25). Ivanti patches Zero-Day bug used in Norway attacks. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/ivantipatches-zeroday-bug-norway/
Uzun, T. (2023, August 4). Critical Zero-day in Ivanti EPMM (formerly MobileIron Core) is actively exploited (CVE-2023-35078). SOCRadar® Cyber Intelligence Inc. https://socradar.io/critical-zero-day-in-ivanti-epmm-formerly-mobileiron-core-isactively-exploited-cve-2023-35078/
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Nahyan Jamil, Erika Delvalle, Alessandro Lovadina, Sreten Dedic, EJ Bulut, Uday Bilakhiy, Yousef Blassy.
