CCTR
CCTR
  • Brewing Cyber Coffee
  • CCTR.23.MAY.24
  • CCTR.22.MAY.24
  • CCTR.21.MAY.24
  • CCTR.20.MAY.24
  • CCTR.19.May.24
  • CCTR.18.April.24
  • CCTR.17.April.24
  • CCTR.16.April.24
  • CCTR.15.April.24
  • CCTR.14.April.24
  • CCTR.13.March.24
  • CCTR.12.March.24
  • CCTR.11.March.24
  • CCTR.10.FEB.24
  • CCTR.9.FEB.24
  • CCTR.8.FEB.24
  • CCTR.7.FEB.24
  • CCTR.6.FEB.24
  • CCTR.5.JAN.24
  • CCTR.4.JAN.24
  • CCTR.3.JAN.24
  • CCTR.2.JAN.24
  • CCTR.1.JAN.24
Powered by GitBook
On this page

CCTR.16.April.24

Pwning Firewalls and Thycotic Secret Servers

PreviousCCTR.17.April.24NextCCTR.15.April.24

Last updated 11 months ago

Volexity has identified the exploitation of a zero-day vulnerability of Palo Alto Networks Alto GlobalProtect gateway firewalls. This critical vulnerability (CVE-2024-3400 CVSS 10) allows a threat actor to execute commands with root privileges on the firewall. Currently, this vulnerability is actively being exploited, most likely by a single state-sponsored threat actor (UTA0218). They emotely exploit firewalls and transfer additional tools to move laterally within their victim organisations. The threat actor also installs a Python backdoor UPSTYLE on the compromised firewalls. It is imperative to patch your firewall; however, it's important to note that patching may destroy forensic artifacts. It is highly recommended to monitor network activity for any abnormal behaviour and investigate unexpected network activity. With the inevitability of the exploit becoming public knowledge, opportunistic threat actors are expected to exploit it against their victims. Ref Incident analysis UPSTYLE on VirusTotal Over the weekend, customers of Delinea Secret Server (formerly known as Thycotic Secret Server) cloud faced an unexpected outage due to a "security incident." This is a crown jewel system in organisations’ privileged access management. The secret server impacted by a critical vulnerability (allowing authentication bypass and administrator access) affecting both on-premises and cloud versions. Despite being reported two months earlier, Delinea had not taken action or acknowledged the issue until its public disclosure. Delinea said that they believe no customer data was impacted. On-premises users need to update their systems to the latest version, while cloud customers must rely on Delinea's pinky promise. Ref – Incident Ref PoC - This is a must read if you’re a pen tester🖋️ 🔷A critical vulnerability (CVE-2024-2879 CVSS 9.8) in the LayerSlider plugin (v7.10.1) for WordPress exposes websites to unauthenticated SQL injection attacks. Attackers can exploit this vulnerability to potentially steal sensitive data and gain complete control over the affected websites. Ref

https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac/
https://doublepulsar.com/delinea-has-cloud-security-incident-in-thycotic-secret-server-gaff-581a33990882
https://straightblast.medium.com/all-your-secrets-are-belong-to-us-a-delinea-secret-server-authn-authz-bypass-adc26c800ad3
https://www.bitdefender.com/blog/hotforsecurity/critical-wordpress-plugin-vulnerability-exposes-1-million-sites-to-sql-injections/