Latest Updates in Infrastructure
Threat Actor DEV-0537 Targeting Organizations for Data Exfiltration and Destruction
DEV-0537 aka LAPSUS$ is known for using a pure extortion and destruction model without deploying ransomware payloads. Initially targeting the United Kingdom and South America the hacker is now expanding to global targets including organizations in government, IT, healthcare sectors, and much more. Intentionally not covering its tracks, DEV-0537 advertises its intent via social media. Few of their tactics include phone-based social engineering, accessing personal email accounts of employees, paying employees, suppliers, or business partners of the targeted organization for access to credentials, and MFA approval. The article compiles all the techniques, tactics, and procedures observed across multiple attacks caused by DEV-0537.
What Defenders Need To Look Out For In Terms Of The Dirty Pipe Vulnerability
The Dirty Pipe Vulnerability (CVE-2022-0847) was found in Linux Kernel since 5.8 allowing overwriting of data in arbitrary read-only files. It was causing privilege escalation as unprivileged processes could inject code into root processes. Something that usually shouldn’t happen, it allowed hosts using containerization software such as Docker to modify files from container images on the host from inside a container. However, to exploit this issue, it was necessary to meet two conditions - the first being the Kernel version of the host must be vulnerable that is +5.8, and hackers need access to interact with a container on the host.
Latest Updates in Web Application
Dompdf: HTML to PDF Rendering Vulnerability leading from XSS to RCE
“After reviewing the vulnerability details the next release (1.2.1) will include a patch,” said Sweeney, the project maintainer of dompdf. However, as per Positive Security’s findings, the vulnerability has not been patched yet possessing a threat to a Remote Code Execution (RCE). The vulnerability gives room to potential hackers to upload font files with a .php extension to the web server reflecting a Cross-Site Scripting (XSS) issue. Furthermore, it can be abused to navigate towards an uploaded .php script offering a way for hackers to achieve RCE of vulnerable systems. Although unpatched, the vulnerability can be resolved by ensuring the software is not in a web-accessible directory.
Resolved: Parse Server Through Prototype Pollution via Command Injection
Attack Flow: Center For Threat Informed Defense
The project seeks to demonstrate how Attack Flow can explain defensive posture to executives, aid defenders to understand lessons learned from an incident, and support red-teamers to easily compose realistic adversary emulation scenarios. At a high level, Attack Flow is a machine-readable representation of a sequence - composed of 5 main objects which are the flow itself, a list of actions, a list of assets, a list of knowledge properties, and a list of casual relationships between the actions and assets. The project helps defenders move from tracking adversary behaviors individually to the sequence of techniques adversaries use to achieve their goals.
A Community-Driven Insider Threat Knowledge Base
Modern enterprise networks are frequently designed to defend against external threats while implicitly trusting their internal user base. Thus. the detection and mitigation of the “Insider threat” have become one of the standing challenges within the realm of cybersecurity. Our initial publication is based on an analysis of insider threat case data contributed by our participants and identified 54 techniques that have been used by insiders. The draft Knowledge is an evidence-based examination of detected, documented insider threat actions on IT systems across organizations and industries. From this data set, which is small in relation to the case data present across the security community, they deduced patterns of Insider actions.