From 75970e98431974544b2fe89d6595de24f63934fa Mon Sep 17 00:00:00 2001 From: Serki Ashagre <132869385+LSerki@users.noreply.github.com> Date: Fri, 9 Feb 2024 08:00:01 +0800 Subject: [PATCH 01/13] VMware Releases Security Advisory for Aria Operations for Networks - 20240208002 (#507) * CISA Releases Six Industrial Control Systems Advisories * Format markdown files * CISA Releases Critical Infrastructure Related Advisories - 20240131001 * Format markdown files * CISA Added Known Exploited Vulnerabilities to Catalog - 20240201001 * Format markdown files * VMware Releases Security Advisory for Aria Operations for Networks - 20240208002 * Format markdown files --------- Co-authored-by: GitHub Actions Co-authored-by: Joshua Hitchen (DGov) <86041569+DGovEnterprise@users.noreply.github.com> --- ...visory-for-Aria-Operations-for-Networks.md | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 docs/advisories/20240208002-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md diff --git a/docs/advisories/20240208002-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md b/docs/advisories/20240208002-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md new file mode 100644 index 00000000..58862207 --- /dev/null +++ b/docs/advisories/20240208002-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md @@ -0,0 +1,25 @@ +# VMware Releases Security Advisory for Aria Operations for Networks - 20240208002 + +## Overview + +VMware released a security advisory to address multiple vulnerabilities in Aria Operations for Networks. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system. + +## What is vulnerable? + +| Product(s) Affected | Summary | Severity | CVSS | +| ----------------------------------------------------------- | ------- | ---------- | ---- | +| **Aria Operations for Networks** | | | | +| - Local Privilege Escalation vulnerability (CVE-2024-22237) | | **High** | 7.8 | +| - Cross Site Scripting Vulnerability (CVE-2024-22238) | | **Medium** | 6.4 | +| - Local Privilege Escalation vulnerability (CVE-2024-22239) | | **Medium** | 5.3 | +| - Local File Read vulnerability (CVE-2024-22240) | | **Medium** | 4.9 | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- [VMware Aria Operations for Networks](https://www.vmware.com/security/advisories/VMSA-2024-0002.html) + +## Additional References + +- [CISA - VMware Releases Security Advisory for Aria Operations for Networks](https://www.cisa.gov/news-events/alerts/2024/02/07/vmware-releases-security-advisory-aria-operations-networks) From 2376b9b7d6f76f71c019d70c7f62b7c96a921caa Mon Sep 17 00:00:00 2001 From: "Joshua Hitchen (DGov)" <86041569+DGovEnterprise@users.noreply.github.com> Date: Fri, 9 Feb 2024 00:04:03 +0000 Subject: [PATCH 02/13] Changing markdown number to align to tickets --- ...visory-for-Aria-Operations-for-Networks.md | 25 +++++++++++++++++++ ...visory-for-Aria-Operations-for-Networks.md | 2 +- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 docs/advisories/20240208001-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md diff --git a/docs/advisories/20240208001-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md b/docs/advisories/20240208001-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md new file mode 100644 index 00000000..58862207 --- /dev/null +++ b/docs/advisories/20240208001-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md @@ -0,0 +1,25 @@ +# VMware Releases Security Advisory for Aria Operations for Networks - 20240208002 + +## Overview + +VMware released a security advisory to address multiple vulnerabilities in Aria Operations for Networks. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system. + +## What is vulnerable? + +| Product(s) Affected | Summary | Severity | CVSS | +| ----------------------------------------------------------- | ------- | ---------- | ---- | +| **Aria Operations for Networks** | | | | +| - Local Privilege Escalation vulnerability (CVE-2024-22237) | | **High** | 7.8 | +| - Cross Site Scripting Vulnerability (CVE-2024-22238) | | **Medium** | 6.4 | +| - Local Privilege Escalation vulnerability (CVE-2024-22239) | | **Medium** | 5.3 | +| - Local File Read vulnerability (CVE-2024-22240) | | **Medium** | 4.9 | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): + +- [VMware Aria Operations for Networks](https://www.vmware.com/security/advisories/VMSA-2024-0002.html) + +## Additional References + +- [CISA - VMware Releases Security Advisory for Aria Operations for Networks](https://www.cisa.gov/news-events/alerts/2024/02/07/vmware-releases-security-advisory-aria-operations-networks) diff --git a/docs/advisories/20240208002-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md b/docs/advisories/20240208002-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md index 58862207..07092f84 100644 --- a/docs/advisories/20240208002-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md +++ b/docs/advisories/20240208002-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md @@ -1,4 +1,4 @@ -# VMware Releases Security Advisory for Aria Operations for Networks - 20240208002 +# VMware Releases Security Advisory for Aria Operations for Networks - 20240208001 ## Overview From 744c1e5297bf8795c61297161d09263da9f98ad4 Mon Sep 17 00:00:00 2001 From: "Joshua Hitchen (DGov)" <86041569+DGovEnterprise@users.noreply.github.com> Date: Fri, 9 Feb 2024 00:35:06 +0000 Subject: [PATCH 03/13] Delete old advisory --- ...visory-for-Aria-Operations-for-Networks.md | 25 ------------------- 1 file changed, 25 deletions(-) delete mode 100644 docs/advisories/20240208002-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md diff --git a/docs/advisories/20240208002-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md b/docs/advisories/20240208002-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md deleted file mode 100644 index 07092f84..00000000 --- a/docs/advisories/20240208002-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md +++ /dev/null @@ -1,25 +0,0 @@ -# VMware Releases Security Advisory for Aria Operations for Networks - 20240208001 - -## Overview - -VMware released a security advisory to address multiple vulnerabilities in Aria Operations for Networks. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system. - -## What is vulnerable? - -| Product(s) Affected | Summary | Severity | CVSS | -| ----------------------------------------------------------- | ------- | ---------- | ---- | -| **Aria Operations for Networks** | | | | -| - Local Privilege Escalation vulnerability (CVE-2024-22237) | | **High** | 7.8 | -| - Cross Site Scripting Vulnerability (CVE-2024-22238) | | **Medium** | 6.4 | -| - Local Privilege Escalation vulnerability (CVE-2024-22239) | | **Medium** | 5.3 | -| - Local File Read vulnerability (CVE-2024-22240) | | **Medium** | 4.9 | - -## Recommendation - -The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)): - -- [VMware Aria Operations for Networks](https://www.vmware.com/security/advisories/VMSA-2024-0002.html) - -## Additional References - -- [CISA - VMware Releases Security Advisory for Aria Operations for Networks](https://www.cisa.gov/news-events/alerts/2024/02/07/vmware-releases-security-advisory-aria-operations-networks) From 8b777c5e7f349ff000536f2bb20726d6805bcd3a Mon Sep 17 00:00:00 2001 From: "Joshua Hitchen (DGov)" <86041569+DGovEnterprise@users.noreply.github.com> Date: Fri, 9 Feb 2024 00:37:42 +0000 Subject: [PATCH 04/13] minor fix to header --- ...leases-Security-Advisory-for-Aria-Operations-for-Networks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/advisories/20240208001-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md b/docs/advisories/20240208001-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md index 58862207..07092f84 100644 --- a/docs/advisories/20240208001-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md +++ b/docs/advisories/20240208001-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md @@ -1,4 +1,4 @@ -# VMware Releases Security Advisory for Aria Operations for Networks - 20240208002 +# VMware Releases Security Advisory for Aria Operations for Networks - 20240208001 ## Overview From 2dc03ace60a031f46f670c948cab5af8a2864dce Mon Sep 17 00:00:00 2001 From: Ryan Date: Fri, 9 Feb 2024 13:28:25 +0800 Subject: [PATCH 05/13] Ivanti urgent patch for multiple products (#508) * Ivanti urgent patch * Format markdown files * Added CVE * Format markdown files --------- Co-authored-by: GitHub Actions --- ...ti-critical-patch-for-multiple-products.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 docs/advisories/20240209001-Ivanti-critical-patch-for-multiple-products.md diff --git a/docs/advisories/20240209001-Ivanti-critical-patch-for-multiple-products.md b/docs/advisories/20240209001-Ivanti-critical-patch-for-multiple-products.md new file mode 100644 index 00000000..57b27c95 --- /dev/null +++ b/docs/advisories/20240209001-Ivanti-critical-patch-for-multiple-products.md @@ -0,0 +1,28 @@ +# Ivanti Critical Patch for Multiple Products - 20240209001 + +## Overview + +Ivanti has published an urgent patch for a new authentication bypass vulnerability impacting Connect Secure, Policy Secure, and ZTA gateways. Ivanti is urging admins to secure their appliances immediately. + +The 'low complexity' attack allows an attacker to access restricted resources without authentication. + +## What is vulnerable? + +| Product(s) Affected | Summary | Severity | CVSS | +| ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ---- | +| **Ivanti Connect Secure** `9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1`, **Ivanti Policy Secure** `22.5R1.1` and **ZTA** `22.6R1.3` | **CVE-2024-22024** An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication. | **Critical** | 8.3 | + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. As of writing, Ivanti states 'We have no evidence of any customers being exploited by CVE-2024-22024'. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of **48 hours** (refer [Patch Management](../guidelines/patch-management.md)): + +- [Ivanti - CVE-2024-22024 (XXE) for Ivanti Connect Secure and Ivanti Policy Secure + ](https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US) + +## Additional References + +- [BleepingComputer - Ivanti: Patch new Connect Secure auth bypass bug immediately](https://www.bleepingcomputer.com/news/security/ivanti-patch-new-connect-secure-auth-bypass-bug-immediately/) From a5e80a84a60ca749fbd37fc78a41cb71c43cfcbe Mon Sep 17 00:00:00 2001 From: DininduWickramatungaDPC <116336975+DininduWickramatungaDPC@users.noreply.github.com> Date: Fri, 9 Feb 2024 13:33:15 +0800 Subject: [PATCH 06/13] Fortinet Multiple RCE Vulnerabilities Exploited - 20240209002 (#509) * Updates to multiple advisories * Updated link * Laravel added to CISA Known Exploited Vulnerability Catalog - 20240117001 * Paessler patches PRTG zero-day vulnerability - 20240117005 * Atlassian Confluence Data Center Known Exploited Vulnerabilities - 20240130002 * Format markdown files * Update 20240130002-Atlassian-Confluence-Data-Center-Known-Exploited-Vulnerabilities.md fix header * Update 20240130002-Atlassian-Confluence-Data-Center-Known-Exploited-Vulnerabilities.md Editing of overview * Google Chrome Security Updates - 20240205002 * Format markdown files * Fortinet Multiple RCE Vulnerabilities Exploited - 20240209002 * Format markdown files --------- Co-authored-by: GitHub Actions Co-authored-by: Joshua Hitchen (DGov) <86041569+DGovEnterprise@users.noreply.github.com> --- ...-Multiple-RCE-Vulnerabilities-Exploited.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 docs/advisories/20240209002-Fortinet-Multiple-RCE-Vulnerabilities-Exploited.md diff --git a/docs/advisories/20240209002-Fortinet-Multiple-RCE-Vulnerabilities-Exploited.md b/docs/advisories/20240209002-Fortinet-Multiple-RCE-Vulnerabilities-Exploited.md new file mode 100644 index 00000000..9c000e47 --- /dev/null +++ b/docs/advisories/20240209002-Fortinet-Multiple-RCE-Vulnerabilities-Exploited.md @@ -0,0 +1,28 @@ +# Fortinet Multiple RCE Vulnerabilities Exploited - 20240209002 + +## Overview + +Fortinet has announced a new critical remote code execution vulnerability in FortiOS SSL VPN which is potentially being exploited in the wild. The vulnerability could allow unauthenticated threat actors to gain remote code execution via maliciously crafted requests. + +## What is vulnerable? + +| **Product(s) Affected** | \*\*Recommended Solutions \*\* | **Severity** | **CVSS** | +| ---------------------------- | ------------------------------ | ------------ | -------- | +| FortiOS 7.6 - Not affected | _Not Applicable_ | NA | NA | +| FortiOS 7.4.0 through 7.4.2 | _Upgrade to 7.4.3 or above_ | **Critical** | NA | +| FortiOS 7.2.0 through 7.2.6 | _Upgrade to 7.2.7 or above_ | **Critical** | NA | +| FortiOS 7.0.0 through 7.0.13 | _Upgrade to 7.0.14 or above_ | **Critical** | NA | +| FortiOS 6.4.0 through 6.4.14 | _Upgrade to 6.4.15 or above_ | **Critical** | NA | +| FortiOS 6.2.0 through 6.2.15 | _Upgrade to 6.2.16 or above_ | **Critical** | NA | +| FortiOS 6.0 all versions | _Migrate to a fixed release_ | **Critical** | NA | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)): + +- [PSIRT | FortiGuard](https://www.fortiguard.com/psirt/FG-IR-24-015) +- [docs.fortinet.com/upgrade-tool](https://docs.fortinet.com/upgrade-tool) + +## Additional References + +- [New Fortinet RCE flaw in SSL VPN likely exploited in attacks (bleepingcomputer.com)](https://www.bleepingcomputer.com/news/security/new-fortinet-rce-flaw-in-ssl-vpn-likely-exploited-in-attacks/) From 3e6b0f22b2b7130d67848247604fdcd8a2277c3f Mon Sep 17 00:00:00 2001 From: Adon Metcalfe Date: Mon, 12 Feb 2024 01:43:24 +0000 Subject: [PATCH 07/13] minor ads fixes --- .../S0650-Qakbot-DefenderExclusions.md | 6 +++--- .../S0650-Qakbot-ProcessExecution.md | 6 +++--- ...-OSCredentialDumping-Exfiltratentds.dit.md | 21 +++++++++---------- ....003-OSCredentialDumping-NTDSusingTools.md | 21 +++++++++---------- .../T1003.006-OSCredentialDumping-DCSyncAD.md | 11 +++++----- 5 files changed, 31 insertions(+), 34 deletions(-) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-DefenderExclusions.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-DefenderExclusions.md index 623ec204..92f9c3f2 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-DefenderExclusions.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-DefenderExclusions.md @@ -11,9 +11,9 @@ Qbot used reg.exe to add Defender folder exceptions for folders within AppData a !!! tip "Related" Malware -**Reference**\ -https://github.com/SigmaHQ/sigma/blob/4de6102dc7d94c9ee70995aeea27b77184d62c35/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml#L4%5C -https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ +!!! abstract "Reference" + - + - ### ATT&CK TACTICS diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-ProcessExecution.md b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-ProcessExecution.md index c997abb5..757c2e7d 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-ProcessExecution.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-ProcessExecution.md @@ -10,9 +10,9 @@ Detects potential QBot activity by looking for process executions used previousl !!! tip "Related" Malware -**Reference**\ -https://github.com/SigmaHQ/sigma/blob/4de6102dc7d94c9ee70995aeea27b77184d62c35/rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml#L4%5C -https://www.trendmicro.com/en_au/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html +!!! abstract "Reference" + - + - ### ATT&CK TACTICS diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md index 4183e7b2..b0fc2b4c 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md @@ -1,12 +1,11 @@ -### T1003 - OS Credential Dumping: Exfiltrate ntds.dit - -#### DESCRIPTION +## T1003 - OS Credential Dumping: Exfiltrate ntds.dit A technique by which the adversary may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. -**Example:** - -> cmd /c copy \\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy3\\Windows\\NTDS\\ntds.dit C:\\Windows\\Temp > C:\\Windows\\Temp\.tmp +!!! example + ``` + cmd /c copy \\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy3\\Windows\\NTDS\\ntds.dit C:\\Windows\\Temp > C:\\Windows\\Temp\.tmp + ``` !!! tip "Related" Volt Typhoon activity @@ -18,30 +17,30 @@ https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-liv https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on%5C https://docs.microsoft.com/sysinternals/downloads/procdump -#### ATT&CK TACTICS +### ATT&CK TACTICS {{ mitre("T1003.001")}}\ {{ mitre("T1003.003")}} Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/), [Command](https://attack.mitre.org/datasources/DS0017/) -#### SENTINEL RULE QUERY
+### SENTINEL RULE QUERY ``` let c1 = dynamic(["ntds.dit"]); find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) ``` -#### Triage +### Triage 1. Inspect which account and at what time the activity was performed 1. Question the user if the activity was expected and approved -#### False Positive +### False Positive 1. Back up software > "ESENTUTL.EXE" .. "C:\\Program Files\\Veritas.." "\\?...\\NTDS\\ntds.dit" -#### VERSION +### VERSION Version 1.1 (date: 16/10/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-NTDSusingTools.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-NTDSusingTools.md index f9f2a0a2..b441c510 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-NTDSusingTools.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-NTDSusingTools.md @@ -1,12 +1,11 @@ -### T1003.003 - OS Credential Dumping: NTDS using Tools - -#### DESCRIPTION +## T1003.003 - OS Credential Dumping: NTDS using Tools A technique by which the adversary may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. -**Example:** - -> cmd /c copy \\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy3\\Windows\\NTDS\\ntds.dit C:\\Windows\\Temp > C:\\Windows\\Temp\.tmp +!!! example + ``` + cmd /c copy \\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy3\\Windows\\NTDS\\ntds.dit C:\\Windows\\Temp > C:\\Windows\\Temp\.tmp + ``` !!! tip "Related" Volt Typhoon activity @@ -18,26 +17,26 @@ https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-liv https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on%5C https://docs.microsoft.com/sysinternals/downloads/procdump -#### ATT&CK TACTICS +### ATT&CK TACTICS {{ mitre("T1003.003")}} Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/), [Command](https://attack.mitre.org/datasources/DS0017/) -#### SENTINEL RULE QUERY
+### SENTINEL RULE QUERY
-#### T1003.003 - OS Credential Dumping: NTDS using tools +### T1003.003 - OS Credential Dumping: NTDS using tools ``` let c1 = dynamic(["Invoke-NinjaCopy","Secretsdump.py","DSInternals"]); find where InitiatingProcessCommandLine has_any (c1) or ProcessCommandLine has_any (c1) or CommandLine has_any (c1) ``` -#### Triage +### Triage 1. Inspect which account and at what time the activity was performed 1. Question the user if the activity was expected and approved -#### VERSION +### VERSION Version 1.0 (date: 10/07/2023) diff --git a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.006-OSCredentialDumping-DCSyncAD.md b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.006-OSCredentialDumping-DCSyncAD.md index e3345f07..33eea3e9 100644 --- a/docs/guidelines/TTP_Hunt/ADS_forms/T1003.006-OSCredentialDumping-DCSyncAD.md +++ b/docs/guidelines/TTP_Hunt/ADS_forms/T1003.006-OSCredentialDumping-DCSyncAD.md @@ -1,12 +1,11 @@ -### T1003.006 - OS Credential Dumping: DCSync - -#### DESCRIPTION +## T1003.006 - OS Credential Dumping: DCSync Detects Mimikatz DC sync activity -**Example:** - -> "mimikatz.exe" "lsadump::dcsync /domain:somedomain.gov.au /user:someusername.gov.au" exit +!!! example + ``` + "mimikatz.exe" "lsadump::dcsync /domain:somedomain.gov.au /user:someusername.gov.au" exit + ``` !!! tip "Related" mimikatz From dcdb3fc282510816fe71c296d535a6b22395857d Mon Sep 17 00:00:00 2001 From: mahmadhabib076 <125419051+mahmadhabib076@users.noreply.github.com> Date: Mon, 12 Feb 2024 10:00:50 +0800 Subject: [PATCH 08/13] Google Chrome Security Updates Advisory (#510) * FortiSIEM - Citical Command Injection Vulnerabilities * Format markdown files * Google chrome Security updates advisory * Format markdown files --------- Co-authored-by: GitHub Actions Co-authored-by: Joshua Hitchen (DGov) <86041569+DGovEnterprise@users.noreply.github.com> --- ...tical-Command-Injection-Vulnerabilities.md | 21 ++++++++++++++++ ...40209003-Google-Chrome-Security-Updates.md | 25 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 docs/advisories/20240207003-FortiSIEM-Critical-Command-Injection-Vulnerabilities.md create mode 100644 docs/advisories/20240209003-Google-Chrome-Security-Updates.md diff --git a/docs/advisories/20240207003-FortiSIEM-Critical-Command-Injection-Vulnerabilities.md b/docs/advisories/20240207003-FortiSIEM-Critical-Command-Injection-Vulnerabilities.md new file mode 100644 index 00000000..00592b49 --- /dev/null +++ b/docs/advisories/20240207003-FortiSIEM-Critical-Command-Injection-Vulnerabilities.md @@ -0,0 +1,21 @@ +# FortiSIEM - Citical Command Injection Vulnerabilities - 20240207003 + +## Overview + +An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM can allow attacker to execute unauthorized code or commands via crafted API requests. + +## What is vulnerable? + +| Product(s) Affected | CVE | Severity | CVSS | +| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ---- | +| Fortinet FortiSIEM versions
- **versions 7.1.0 through 7.1.1**
- **version 7.0.0 through 7.0.2**
- **version 6.7.0 through 6.7.8**
- **version 6.6.0 through 6.6.3**
- **version 6.5.0 through 6.5.2**
- **version 6.4.0 through 6.4.2** | [CVE-2024-23108](https://nvd.nist.gov/vuln/detail/CVE-2024-23108) , [CVE-2024-23109](https://nvd.nist.gov/vuln/detail/CVE-2024-23109) | **Critical** | 10.0 | + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions. (refer [Patch Management](../guidelines/patch-management.md)): + +- [FortiGuard](https://www.fortiguard.com/psirt/FG-IR-23-130) diff --git a/docs/advisories/20240209003-Google-Chrome-Security-Updates.md b/docs/advisories/20240209003-Google-Chrome-Security-Updates.md new file mode 100644 index 00000000..ea574836 --- /dev/null +++ b/docs/advisories/20240209003-Google-Chrome-Security-Updates.md @@ -0,0 +1,25 @@ +# Google Chrome Security Updates - 20240209003 + +## Overview + +Use after free in Mojo in Google Chrome prior to 121.0.6167.160 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. + +## What is vulnerable? + +| Product(s) Affected | Summary | Severity | CVSS | +| ----------------------------------------- | ------------------------------------------------------------------- | -------- | ---- | +| from 121.0.6167.160 before 121.0.6167.160 | [**CVE-2024-1284**](https://nvd.nist.gov/vuln/detail/CVE-2024-1284) | **High** | N/A | + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions. (refer [Patch Management](../guidelines/patch-management.md)): + +- [**Chrome Releases**](https://chromereleases.googleblog.com/2024) + +## Additional References + +- [Fedora KITTY](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSCIL2WH2L4R4KWSRCTDWBPAMOJIYBJE/) From 2c4a3e06adae3fb17b8fab1e89badea77c8347cb Mon Sep 17 00:00:00 2001 From: "Joshua Hitchen (DGov)" <86041569+DGovEnterprise@users.noreply.github.com> Date: Mon, 12 Feb 2024 13:20:51 +0800 Subject: [PATCH 09/13] January 2024 - Threat Activity --- docs/threat-activity.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/docs/threat-activity.md b/docs/threat-activity.md index 89408383..aaef1c23 100644 --- a/docs/threat-activity.md +++ b/docs/threat-activity.md @@ -2,23 +2,26 @@ {{ date_index("docs/advisories", prefix="advisories/", expand=1, include=2) }} -## WA SOC - Recent Threat Activity (December 2023) +## WA SOC - Recent Threat Activity (January 2024) Based on recent high impact incidents seen by the WA SOC, security teams should be focusing on the below areas of improvement: !!! warning "ACSC & CISA Guidance targeted on recent threat activity" - - [Russian FSB - Star Blizzard](https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/russian-fsb-cyber-actor-star-blizzard-continues-worldwide-spear-phishing-campaigns) - - [Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-349a) + - [Lay of the Land](https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/identifying-and-mitigating-living-off-the-land-techniques) + - [Volt Typhoon - Crtical Infrastcture](https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/prc-state-sponsored-actors-compromise-and-maintain-persistent-access-us-critical-infrastructure) Recent WA SOC advisories this month worth staying across include: -- [Apache Strut 2 RCE vulnerability](https://soc.cyber.wa.gov.au/advisories/20231213001-Apache-Struts-2-crit-vuln/) -- [MongoDB Compromise](https://soc.cyber.wa.gov.au/advisories/20231218004-MongoDB-Compromise/) -- [#StopRansomware: Play ransomware](https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/stopransomware-play-ransomware) +- [Ivanti Services](https://soc.cyber.wa.gov.au/advisories/20240122002-Ivanti-CISA-Guidance/) +- [Fortinet VPN SSL](https://soc.cyber.wa.gov.au/advisories/20240209002-Fortinet-Multiple-RCE-Vulnerabilities-Exploited/) +- [Atlassian Services](https://soc.cyber.wa.gov.au/advisories/20240130002-Atlassian-Confluence-Data-Center-Known-Exploited-Vulnerabilities/) -Agencies should ensure their procurement and vendor management processes are aligned to the [Supply Chain Risk Management Guideline](guidelines/supply-chain-risk-mgmt.md). Additionally agencies should prioritise remediating vulnerabilities in any internet-facing **remote access** services due to ongoing threat activity. +Agencies should ensure their procurement and vendor management processes are aligned to the [Supply Chain Risk Management Guideline](guidelines/supply-chain-risk-mgmt.md). Additionally agencies should prioritise remediating vulnerabilities in any internet-facing **remote access** services due to ongoing threat activity. + +Agencies should ensure that user accouints are terminated in a appropiate timeframe. As the WASOC has become aware of recent incidents have been linked to insufficient user managment [security practices](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-personnel-security). + +> 29% related to access management issues. These included poor management of privileged accounts, lack of multi-factor authentication, delays in access revocation, monitoring user activity, and review of access privileges [WA Auditor General - State Government 2022-23 Financial Audit Results](https://audit.wa.gov.au/reports-and-publications/reports/financial-audit-results-state-government-2022-23/) -Microsoft recommends deploying new devices as cloud-native using Microsoft Entra join. Deploying new devices as Microsoft Entra hybrid join devices isn't recommended, including through Autopilot. For more information: [Microsoft Entra joined vs. Microsoft Entra hybrid joined in cloud-native endpoints: Which option is right for your organization](https://learn.microsoft.com/en-us/mem/solutions/cloud-native-endpoints/azure-ad-joined-hybrid-azure-ad-joined#which-option-is-right-for-your-organization). **Security Hardening** remains a focus for all organisations. Please refer to the below guides to ensure all external and internal sign-ins are appropriately monitored. From 681db15eab357bb523bcca3cc2f498114250ed58 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 12 Feb 2024 05:21:55 +0000 Subject: [PATCH 10/13] Format markdown files --- docs/threat-activity.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/threat-activity.md b/docs/threat-activity.md index aaef1c23..46922f6c 100644 --- a/docs/threat-activity.md +++ b/docs/threat-activity.md @@ -16,13 +16,12 @@ Recent WA SOC advisories this month worth staying across include: - [Fortinet VPN SSL](https://soc.cyber.wa.gov.au/advisories/20240209002-Fortinet-Multiple-RCE-Vulnerabilities-Exploited/) - [Atlassian Services](https://soc.cyber.wa.gov.au/advisories/20240130002-Atlassian-Confluence-Data-Center-Known-Exploited-Vulnerabilities/) -Agencies should ensure their procurement and vendor management processes are aligned to the [Supply Chain Risk Management Guideline](guidelines/supply-chain-risk-mgmt.md). Additionally agencies should prioritise remediating vulnerabilities in any internet-facing **remote access** services due to ongoing threat activity. +Agencies should ensure their procurement and vendor management processes are aligned to the [Supply Chain Risk Management Guideline](guidelines/supply-chain-risk-mgmt.md). Additionally agencies should prioritise remediating vulnerabilities in any internet-facing **remote access** services due to ongoing threat activity. Agencies should ensure that user accouints are terminated in a appropiate timeframe. As the WASOC has become aware of recent incidents have been linked to insufficient user managment [security practices](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-personnel-security). > 29% related to access management issues. These included poor management of privileged accounts, lack of multi-factor authentication, delays in access revocation, monitoring user activity, and review of access privileges [WA Auditor General - State Government 2022-23 Financial Audit Results](https://audit.wa.gov.au/reports-and-publications/reports/financial-audit-results-state-government-2022-23/) - **Security Hardening** remains a focus for all organisations. Please refer to the below guides to ensure all external and internal sign-ins are appropriately monitored. - [ASD Blueprint for Secure Cloud (E8)](https://blueprint.asd.gov.au/security-and-governance/essential-eight/) From 77dbfb159dd890655bed79c7156b846d8f65df2e Mon Sep 17 00:00:00 2001 From: TWangmo <125948963+TWangmo@users.noreply.github.com> Date: Mon, 12 Feb 2024 14:21:58 +0800 Subject: [PATCH 11/13] 20240212001-Microsoft-Streaming-Service-Vulnerability-Exploited (#511) * 20240205001-Juniper-Networks-Security-Advisory * Format markdown files * Update 20240205001-Juniper-Networks-Security-Advisory.md fix title * 20240207001-CISA-Adds-One-Known-Exploited-Vulnerability-to-Catalog * Format markdown files * 20240207002-Critical-Android-Security-Advisory * Format markdown files * 20240212001-Microsoft-Streaming-Service-Vulnerability-Exploited * Format markdown files --------- Co-authored-by: GitHub Actions Co-authored-by: Joshua Hitchen (DGov) <86041569+DGovEnterprise@users.noreply.github.com> --- ...ce-Elevation-of-Privilege-Vulnerability.md | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 docs/advisories/20240212001-Microsoft-Streaming-Service-Elevation-of-Privilege-Vulnerability.md diff --git a/docs/advisories/20240212001-Microsoft-Streaming-Service-Elevation-of-Privilege-Vulnerability.md b/docs/advisories/20240212001-Microsoft-Streaming-Service-Elevation-of-Privilege-Vulnerability.md new file mode 100644 index 00000000..77ea05d4 --- /dev/null +++ b/docs/advisories/20240212001-Microsoft-Streaming-Service-Elevation-of-Privilege-Vulnerability.md @@ -0,0 +1,35 @@ +# Microsoft Streaming Service Vulnerability Exploited - 20240212001 + +## Overview + +Microsoft Streaming Service Proxy with high local privilege escalation vulnerabilities have been reported exploited by the new Raspberry Robin campaign. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. + +## What is the vulnerability? + +| CVE ID | Severity | CVSS | +| ----------------------------------------------------------------- | -------- | ---- | +| [CVE-2023-29360](https://nvd.nist.gov/vuln/detail/CVE-2023-29360) | **High** | 8.4 | + +## What is vulnerable? + +| Product(s) Affected | Versions | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | +| - Microsoft Windows 10 Version 1809, 32-bit Systems, x64-based Systems, ARM64-based Systems
- Microsoft Windows Server 2019, x64-based Systems
- Microsoft Windows Server 2019 (Server Core installation), x64-based Systems | **versions 10.0.0 to 10.0.17763.4499** | +| - Microsoft Windows Server 2022, x64-based Systems | **versions 10.0.0 to 10.0.20348.1787**
**versions 10.0.0 to 10.0.20348.1784** | +| - Microsoft Windows 11 version 21H2, x64-based Systems, ARM64-based Systems | **versions 10.0.0 to 10.0.22000.2057** | +| - Microsoft Windows 10 Version 21H2, 32-bit Systems, ARM64-based Systems | **versions 10.0.0 to 10.0.19044.3086** | +| - Microsoft Windows 11 version 22H2, ARM64-based Systems, x64-based Systems | **versions 10.0.0 to 10.0.22621.1848** | +| - Microsoft Windows 10 Version 22H2, x64-based Systems, ARM64-based Systems, 32-bit Systems | **versions 10.0.0 to 10.0.19045.3086** | +| - Microsoft Windows 10 Version 1607, x64-based Systems, ARM64-based Systems, 32-bit Systems | **versions 10.0.0 to 10.0.14393.5989** | +| - Microsoft Windows Server 2016, x64-based Systems | **versions 10.0.0 to 10.0.14393.5989** | +| - Microsoft Windows Server 2016 (Server Core installation), x64-based Systems | **versions 10.0.0 to 10.0.14393.5989** | + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours* (refer [Patch Management](../guidelines/patch-management.md)): + +- [Microsoft Security Update Guide](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29360) From 280fb60296a77d68c7c04153146350a9091258aa Mon Sep 17 00:00:00 2001 From: carel-v98 <109933205+carel-v98@users.noreply.github.com> Date: Tue, 13 Feb 2024 15:32:49 +0800 Subject: [PATCH 12/13] Roundcube Webmail Vuln (#512) --- ...13001-Roundcube-Webmail-Known-Exploited.md | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 docs/advisories/20240213001-Roundcube-Webmail-Known-Exploited.md diff --git a/docs/advisories/20240213001-Roundcube-Webmail-Known-Exploited.md b/docs/advisories/20240213001-Roundcube-Webmail-Known-Exploited.md new file mode 100644 index 00000000..964fa3d3 --- /dev/null +++ b/docs/advisories/20240213001-Roundcube-Webmail-Known-Exploited.md @@ -0,0 +1,25 @@ +# Roundcube Webmail added to CISA Known Exploited Catalog - 20240213001 + +## Overview + +Roundcube have released a critical security advisory relating to a vulnerability impacting Roundcube Webmail. + +## What is vulnerable? + +| Product(s) Affected | CVE | Severity | CVSS | +| ---------------------- | ------------------------------------------------------------------------------- | -------------------------------- | ---- | +| Roundcube Webmail | [CVE-2023-43770](https://nvd.nist.gov/vuln/detail/CVE-2023-43770) | **Medium** | 6.1 | + +## What has been observed? + +CISA added this vulnerability in their [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog. There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 Hours...* (refer [Patch Management](../guidelines/patch-management.md)): + +- [Roundcube: Security update 1.6.3 released](https://roundcube.net/news/2023/09/15/security-update-1.6.3-released) + +### Additional Resources + +- [CISA Adds One Known Exploited Vulnerability to Catalog - February 12, 2024](https://www.cisa.gov/news-events/alerts/2024/02/12/cisa-adds-one-known-exploited-vulnerability-catalog) From b84dfcc1d450cd74aa181edfcb2dc55b8712b145 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 13 Feb 2024 07:33:50 +0000 Subject: [PATCH 13/13] Format markdown files --- .../20240213001-Roundcube-Webmail-Known-Exploited.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/advisories/20240213001-Roundcube-Webmail-Known-Exploited.md b/docs/advisories/20240213001-Roundcube-Webmail-Known-Exploited.md index 964fa3d3..45743246 100644 --- a/docs/advisories/20240213001-Roundcube-Webmail-Known-Exploited.md +++ b/docs/advisories/20240213001-Roundcube-Webmail-Known-Exploited.md @@ -6,9 +6,9 @@ Roundcube have released a critical security advisory relating to a vulnerability ## What is vulnerable? -| Product(s) Affected | CVE | Severity | CVSS | -| ---------------------- | ------------------------------------------------------------------------------- | -------------------------------- | ---- | -| Roundcube Webmail | [CVE-2023-43770](https://nvd.nist.gov/vuln/detail/CVE-2023-43770) | **Medium** | 6.1 | +| Product(s) Affected | CVE | Severity | CVSS | +| ------------------- | ----------------------------------------------------------------- | ---------- | ---- | +| Roundcube Webmail | [CVE-2023-43770](https://nvd.nist.gov/vuln/detail/CVE-2023-43770) | **Medium** | 6.1 | ## What has been observed?