INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Scans for Ivanti Connect "Secure" VPN Vulnerability (CVE-2023-46805, CVE-2024-21887)
Published: 2024-01-16
Last Updated: 2024-01-16 12:53:48 UTC
by Johannes Ullrich (Version: 1)
Last week, Volexity published a blog describing two vulnerabilities in Ivanti's Connect "Secure" VPN. These vulnerabilities have been exploited in limited, targeted attacks. At this point, Ivanti released a configuration workaround but no patch for this vulnerability. The configuration can be applied in the form of an encrypted XML file.
Watchtowr, a company in the vulnerability scanning business, investigated the configuration change created by Ivanti and shared how it detects if an Ivanti instance had the configuration change applied. After the change is applied, requests to a specific REST API URL (/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark) will include a complete HTML body. Before the patch is applied, only headers are received from the device.
Starting on Sunday, our honeypots detected the first scans for this URL. This is likely due to attackers building target lists while working on the exploit. Neither Volexity nor Watchtowr have released exploits for the vulnerability. Ivanti delivers the Connect "Secure" VPN as a virtual appliance with an obfuscated disk image. Still, the obfuscation is easily bypassed, and exploits are likely available to a wider and wider group of attackers. Ransomware attackers are likely already taking advantage of the vulnerability.
Read the full entry:
One File, Two Payloads
Published: 2024-01-12
Last Updated: 2024-01-12 06:12:18 UTC
by Xavier Mertens (Version: 1)
It has been a while since I discussed obfuscation techniques in malicious scripts. I found a VB script that pretends to be a PDF file. As usual, it was delivered through a phishing email with a zip archive. The filename is ...
The script starts with a strange trick: It lists the available Windows services, builds a string containing all the services names, and searches for the substring “Microsoft” across them.
Read the full entry: https://isc.sans.edu/diary/One+File+Two+Payloads/30558/
New YouTube Video Series: Hacker Tools Origin Stories
Published: 2024-01-11
Last Updated: 2024-01-11 12:40:31 UTC
by Johannes Ullrich (Version: 1)
I remembered that I should have mentioned this in today's podcast, so here it goes as a quick post. The amazing Mark Baggett stepped away from his Python console and started a new series of YouTube videos about the origin stories of various hacker tools. The first one he covers is Security Onion. These videos interview the creators of the tools to learn more about why and how they were created.
Read the full entry: https://isc.sans.edu/diary/New+YouTube+Video+Series+Hacker+Tools+Origin+Stories/30554/